refactor(rivetkit-core): use subtle::ConstantTimeEq for inspector token verify

NathanFlurry · NathanFlurry · commit bef655022d3a · 2026-04-24T05:01:22.000-07:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/rivetkit-rust/packages/rivetkit-core/Cargo.toml b/rivetkit-rust/packages/rivetkit-core/Cargo.toml
@@ -34,6 +34,7 @@ serde.workspace = true
 serde_json.workspace = true
 serde_bare.workspace = true
 serde_bytes.workspace = true
+subtle.workspace = true
 tokio.workspace = true
 tokio-util.workspace = true
 tracing.workspace = true
diff --git a/rivetkit-rust/packages/rivetkit-core/src/inspector/auth.rs b/rivetkit-rust/packages/rivetkit-core/src/inspector/auth.rs
@@ -3,6 +3,7 @@ use base64::{Engine, engine::general_purpose::URL_SAFE_NO_PAD};
 use rand::RngCore;
 use rivet_error::RivetError as RivetErrorDerive;
 use serde::{Deserialize, Serialize};
+use subtle::ConstantTimeEq;
 
 use crate::ActorContext;
 
@@ -91,22 +92,9 @@ fn generate_inspector_token() -> String {
 }
 
 fn verify_token_bytes(candidate: &[u8], expected: &[u8]) -> Result<()> {
-	if timing_safe_equal(candidate, expected) {
+	if candidate.ct_eq(expected).into() {
 		Ok(())
 	} else {
 		Err(InspectorUnauthorized.build())
 	}
 }
-
-fn timing_safe_equal(left: &[u8], right: &[u8]) -> bool {
-	let max_len = left.len().max(right.len());
-	let mut diff = left.len() ^ right.len();
-
-	for idx in 0..max_len {
-		let left_byte = left.get(idx).copied().unwrap_or_default();
-		let right_byte = right.get(idx).copied().unwrap_or_default();
-		diff |= usize::from(left_byte ^ right_byte);
-	}
-
-	diff == 0
-}
