From fa9b3384c8070f0e5b408e4968bfc1c0c1d14b15 Mon Sep 17 00:00:00 2001
From: Viktor Liu <viktor@netbird.io>
Date: Wed, 11 Sep 2024 14:36:30 +0200
Subject: [PATCH] Check payload length earlier

---
 relay/auth/hmac/v2/validator.go | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/relay/auth/hmac/v2/validator.go b/relay/auth/hmac/v2/validator.go
index a757fcc9ab..7f448dd5fb 100644
--- a/relay/auth/hmac/v2/validator.go
+++ b/relay/auth/hmac/v2/validator.go
@@ -8,6 +8,8 @@ import (
 	"time"
 )
 
+const minLengthUnixTimestamp = 10
+
 type Validator struct {
 	secret []byte
 }
@@ -27,6 +29,10 @@ func (v *Validator) Validate(data any) error {
 		return fmt.Errorf("unmarshal token: %w", err)
 	}
 
+	if len(token.Payload) < minLengthUnixTimestamp {
+		return errors.New("invalid payload: insufficient length")
+	}
+
 	hashFunc := token.AuthAlgo.New()
 	if hashFunc == nil {
 		return fmt.Errorf("unsupported auth algorithm: %s", token.AuthAlgo)
@@ -40,10 +46,6 @@ func (v *Validator) Validate(data any) error {
 		return errors.New("invalid signature")
 	}
 
-	if len(token.Payload) < 8 {
-		return errors.New("invalid payload: insufficient length")
-	}
-
 	timestamp, err := strconv.ParseInt(string(token.Payload), 10, 64)
 	if err != nil {
 		return fmt.Errorf("invalid payload: %w", err)