From 2d2fa0d40ac8f2f7aa7e9b070fa1a25eee082cb0 Mon Sep 17 00:00:00 2001
From: anfedorov <me@anfedorov.com>
Date: Sat, 4 Nov 2017 18:59:55 -0700
Subject: [PATCH] Use constant-time string comparison for sigs

Fixed #12
---
 src/main/scala/authentikat/jwt/JsonWebToken.scala | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/scala/authentikat/jwt/JsonWebToken.scala b/src/main/scala/authentikat/jwt/JsonWebToken.scala
index 788de69..3084cdf 100644
--- a/src/main/scala/authentikat/jwt/JsonWebToken.scala
+++ b/src/main/scala/authentikat/jwt/JsonWebToken.scala
@@ -84,7 +84,7 @@ object JsonWebToken extends JsonMethods {
         val signature = encodeBase64URLSafeString(
           JsonWebSignature(header.algorithm.getOrElse("none"), providedHeader + "." + providedClaims, key))
 
-        providedSignature.contentEquals(signature)
+        java.security.MessageDigest.isEqual(providedSignature.getBytes(), signature.getBytes())
       case _ ⇒
         false
     }