From bbd67b2ed6b659d761c91d2c32a1fbae520e1bec Mon Sep 17 00:00:00 2001
From: folbrich <frank.olbricht@gmail.com>
Date: Sat, 18 Apr 2026 17:27:39 +0200
Subject: [PATCH] Enforce Authorization header on index-server

The index-server handler stored the configured authorization value but
never compared it against incoming requests, so --authorization and
DESYNC_HTTP_AUTH had no effect. Add the same check used by the chunk
handler, using crypto/subtle.ConstantTimeCompare to avoid timing
side-channels.
---
 httpindexhandler.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/httpindexhandler.go b/httpindexhandler.go
index 65fd95c3..af815aea 100644
--- a/httpindexhandler.go
+++ b/httpindexhandler.go
@@ -2,6 +2,7 @@ package desync
 
 import (
 	"bytes"
+	"crypto/subtle"
 	"fmt"
 	"net/http"
 	"os"
@@ -20,6 +21,10 @@ func NewHTTPIndexHandler(s IndexStore, writable bool, auth string) http.Handler
 }
 
 func (h HTTPIndexHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if h.authorization != "" && subtle.ConstantTimeCompare([]byte(r.Header.Get("Authorization")), []byte(h.authorization)) != 1 {
+		http.Error(w, "Unauthorized", http.StatusUnauthorized)
+		return
+	}
 	indexName := path.Base(r.URL.Path)
 
 	switch r.Method {