From 60aca2f90d576a4eb866602c91a9757204b2b97d Mon Sep 17 00:00:00 2001
From: "ljf (zamentur)" <zamentur@users.noreply.github.com>
Date: Tue, 2 Mar 2021 13:56:32 +0100
Subject: [PATCH] [enh] Add security comment

---
 helpers.lua | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/helpers.lua b/helpers.lua
index 1c3e7b8..ce4b504 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -327,7 +327,9 @@ function is_admin()
 
   local token = token:gsub("\n","")
 
-  -- FIXME FIXME FIXME - this is a really stupid and time-attack-prone way to validate the token
+  -- LUA comparison are made in constant time thanks to interned string mechanism
+  -- It compare pointers and not char by char. SO no risk of timing attack here :)
+  -- See https://poprocks.dev/constant-time-string-comparison-in-lua/
   if admin_token_header == token then
       return true
   else