From 02be34159d1371e74a683084c2ecdd19eebf3ac6 Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kspearrin@users.noreply.github.com>
Date: Tue, 28 Oct 2025 09:51:24 -0400
Subject: [PATCH] fix(vuln): Change OTP and Email providers to use
 time-constant equality operators

Co-authored-by: Todd Martin <106564991+trmartin4@users.noreply.github.com>
---
 src/Core/Auth/Identity/TokenProviders/EmailTokenProvider.cs     | 2 +-
 .../TokenProviders/OtpTokenProvider/OtpTokenProvider.cs         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Core/Auth/Identity/TokenProviders/EmailTokenProvider.cs b/src/Core/Auth/Identity/TokenProviders/EmailTokenProvider.cs
index 70aba8ef75..f6ef3a5dd0 100644
--- a/src/Core/Auth/Identity/TokenProviders/EmailTokenProvider.cs
+++ b/src/Core/Auth/Identity/TokenProviders/EmailTokenProvider.cs
@@ -65,7 +65,7 @@ public class EmailTokenProvider : IUserTwoFactorTokenProvider<User>
         }
 
         var code = Encoding.UTF8.GetString(cachedValue);
-        var valid = string.Equals(token, code);
+        var valid = CoreHelpers.FixedTimeEquals(token, code);
         if (valid)
         {
             await _distributedCache.RemoveAsync(cacheKey);
diff --git a/src/Core/Auth/Identity/TokenProviders/OtpTokenProvider/OtpTokenProvider.cs b/src/Core/Auth/Identity/TokenProviders/OtpTokenProvider/OtpTokenProvider.cs
index b6280e13fe..ae394f817e 100644
--- a/src/Core/Auth/Identity/TokenProviders/OtpTokenProvider/OtpTokenProvider.cs
+++ b/src/Core/Auth/Identity/TokenProviders/OtpTokenProvider/OtpTokenProvider.cs
@@ -64,7 +64,7 @@ public class OtpTokenProvider<TOptions>(
         }
 
         var code = Encoding.UTF8.GetString(cachedValue);
-        var valid = string.Equals(token, code);
+        var valid = CoreHelpers.FixedTimeEquals(token, code);
         if (valid)
         {
             await _distributedCache.RemoveAsync(cacheKey);