Make the AdminBootstrapToken comparison constant-time and require a strong configured token

[Jagadeeshftw]

📌 Description

internal/handlers/admin.go BootstrapAdmin() promotes the authenticated user to admin if the X-Admin-Bootstrap-Token header matches cfg.AdminBootstrapToken. The comparison appears to be a plain ==, which is not constant-time and is therefore susceptible to timing analysis, and there is no enforcement that the token is non-empty/sufficiently strong before the endpoint is usable.

💡 Why it matters: A timing-leaky or weak admin-bootstrap secret is a direct privilege-escalation risk — it grants the admin role.

🧩 Requirements and context

• Use crypto/subtle.ConstantTimeCompare for the token check.
• Reject the bootstrap request (and ideally disable the endpoint) when AdminBootstrapToken is empty or shorter than a minimum length.
• Optionally restrict bootstrap to APP_ENV=dev or require a one-time/rotating token.
• Log a single audit entry on successful and failed bootstrap (without the token value).
• Add tests for match, mismatch, empty-configured-token, and short-token cases.

Non-functional requirements

• Must be secure, tested, and documented.
• Should be efficient and easy to review.

🛠️ Suggested execution

1. Fork the repo and create a branch

git checkout -b security/bootstrap-token-hardening

2. Implement changes

• Write/modify the relevant source: internal/handlers/admin.go, internal/config/config.go
• Write comprehensive tests: internal/handlers/admin_test.go
• Add documentation: note in README/security docs about the bootstrap flow
• Include GoDoc comments on the comparison helper
• Validate security assumptions: never log the token; constant-time compare

3. Test and commit

• Run tests:

go test ./internal/handlers/...

• Cover edge cases: empty token disables endpoint, short token rejected, mismatch returns 403
• Include test output and security notes in the PR description.

Example commit message

security(admin): constant-time bootstrap token compare and strength check

✅ Acceptance criteria

• Token compared with subtle.ConstantTimeCompare
• Empty/short token disables or rejects bootstrap
• Audit log on success/failure without the token value
• Tests cover all branches

🔒 Security notes

This endpoint grants admin; defend against timing oracles and accidental empty-token misconfiguration that would let any authenticated user self-promote.

📋 Guidelines

• Minimum 95% test coverage
• Clear documentation
• Timeframe: 96 hours

[Meet-hybrid]

Can I work on this please?

[xx7412421-cloud]

Hi maintainers, I would like to work on this if it is still available.

Planned scope:

• add a small constant-time comparison helper for the admin bootstrap token
• reject empty or too-short configured tokens before any role change can happen
• add focused handler/config tests for match, mismatch, empty token, and short token
• keep logs and responses free of token values

I will wait for assignment before opening a PR to follow your workflow.

[clintjeff2]

Hello, I have 6 years of experience working on tasks like this and handling similar challenges across backend, frontend, and smart-contract development. I have carefully read and fully understood the task requirements, and I am confident I can deliver a clean, efficient, and well-tested solution promptly. I always ensure high-quality implementation, maintainability, and adherence to best practices.

Pull request in 5 hours.