Use PHP hash_equals() to compare the token

This avoids a possible timing attack. hash_equals() was introduced in PHP 5.6.
fetus-hina · Jun 23, 2024 · 84e01ea · 84e01ea
1 parent a113d63
commit 84e01ea
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/Totp.php b/src/Totp.php
@@ -159,7 +159,7 @@ public static function verify(
         $stepEnd   = $currentStep + (int)$acceptStepFuture + 1;
         for ($testTimeStep = $stepBegin; $testTimeStep < $stepEnd; ++$testTimeStep) {
             $testValue = self::calcMain($keyBinary, $testTimeStep, $digits, $hash);
-            if ($testValue === $value) {
+            if (hash_equals($testValue, $value)) {
                 return true;
             }
         }