Audit changes

hub/api/api.go

@@ -89,7 +89,7 @@ func (a *API) Session_Delete(sessionID string) {
 }
 
 const (
-	sessionTTLSecs    = 24 * 21 * time.Hour // sessions expire 21 days after last use
+	sessionTTL        = 24 * 21 * time.Hour // sessions expire 21 days after last use
 	sessionSweepEvery = time.Hour           // cadence of expired-session eviction
 )
 
@@ -108,7 +108,7 @@ func (a *API) Session_Get(sessionID string) Session {
 		return Session{}
 	}
 
-	if time.Since(s.LastSeenAt) > sessionTTLSecs {
+	if time.Since(s.LastSeenAt) > sessionTTL {
 		delete(a.sessions, sessionID)
 		return Session{}
 	}
@@ -160,7 +160,7 @@ func (a *API) sweepSessions() {
 	for range time.Tick(sessionSweepEvery) {
 		a.sessionsMu.Lock()
 		for id, s := range a.sessions {
-			if time.Since(s.LastSeenAt) > sessionTTLSecs {
+			if time.Since(s.LastSeenAt) > sessionTTL {
 				delete(a.sessions, id)
 			}
 		}

hub/handler.go

@@ -1,7 +1,6 @@
 package hub
 
 import (
-	"crypto/subtle"
 	"errors"
 	"log"
 	"net/http"
@@ -64,8 +63,9 @@ func (app *App) handlePeer(pattern string, fn peerHandlerFunc) {
 			return
 		}
 
+		// Not doing constant time compare because index lookup time dominates.
 		peer, err := app.api.Peer_GetByAPIKey(apiKey)
-		if err != nil || subtle.ConstantTimeCompare([]byte(peer.APIKey), []byte(apiKey)) != 1 {
+		if err != nil {
 			http.Error(w, "Not authorized", http.StatusUnauthorized)
 			return
 		}