fix: APIトークンの定数時間比較とCSPRNG生成に変更

timing attackを防止するため、auth_middlewareのBearer Token比較を
subtle::ConstantTimeEqによる定数時間実装に変更。
トークン生成もUUID v4 (122-bit)からCSPRNG 256-bit hexに強化。

- auth_middleware: == → ct_eq (subtle クレート)
- main.rs: uuid::Uuid::new_v4() → rand::random::<[u8; 32]>()
- 認証失敗時のtracing::warnログを追加

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: hitalin

Cargo.lock

@@ -21,6 +21,8 @@ thiserror = "2.0.18"
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 zeroize = "1"
+subtle = "2"
+rand = "0.9"
 keyring-core = { version = "0.7", optional = true }
 axum = "0.8"
 tower-http = { version = "0.6", features = ["cors"] }

Cargo.toml

@@ -9,6 +9,7 @@ use axum::{
     routing::{delete, get, post},
     Json, Router,
 };
+use subtle::ConstantTimeEq;
 use futures_util::stream::Stream;
 use serde::Deserialize;
 use serde_json::{json, Value};
@@ -201,8 +202,13 @@ async fn auth_middleware(
         .and_then(|v| v.strip_prefix("Bearer "));
 
     match token {
-        Some(t) if t == state.api_token => Ok(next.run(req).await),
-        _ => Err(ApiError::unauthorized().into_response()),
+        Some(t) if bool::from(t.as_bytes().ct_eq(state.api_token.as_bytes())) => {
+            Ok(next.run(req).await)
+        }
+        _ => {
+            tracing::warn!(uri = %req.uri(), "unauthorized API access attempt");
+            Err(ApiError::unauthorized().into_response())
+        }
     }
 }
 

src/http_server.rs

@@ -66,7 +66,10 @@ async fn run_daemon(port: u16) {
     let emitter = Arc::new(EventBusEmitter::new(event_bus.clone()));
     let _streaming = StreamingManager::new(emitter, event_bus.clone(), db.clone());
 
-    let api_token = uuid::Uuid::new_v4().to_string();
+    let api_token: String = rand::random::<[u8; 32]>()
+        .iter()
+        .map(|b| format!("{b:02x}"))
+        .collect();
     let token_path = data_dir.join("api-token");
     std::fs::write(&token_path, &api_token).expect("Failed to write API token");
     #[cfg(unix)]