From 68f01f9823bbc8def95c0f209ad8980298235c05 Mon Sep 17 00:00:00 2001
From: jdl <jdl@private.local>
Date: Sat, 13 Jun 2026 18:07:21 +0200
Subject: [PATCH] Audit changes.

---
 hub/handler.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hub/handler.go b/hub/handler.go
index b7a69b9..50013cf 100644
--- a/hub/handler.go
+++ b/hub/handler.go
@@ -1,6 +1,7 @@
 package hub
 
 import (
+	"crypto/subtle"
 	"errors"
 	"log"
 	"net/http"
@@ -64,7 +65,7 @@ func (app *App) handlePeer(pattern string, fn peerHandlerFunc) {
 		}
 
 		peer, err := app.api.Peer_GetByAPIKey(apiKey)
-		if err != nil {
+		if err != nil || subtle.ConstantTimeCompare([]byte(peer.APIKey), []byte(apiKey)) != 1 {
 			http.Error(w, "Not authorized", http.StatusUnauthorized)
 			return
 		}