From dc464fa480e899b8ebd193f3917d0c2a1e4f752a Mon Sep 17 00:00:00 2001
From: aaron levin <aaron.levin@soundcloud.com>
Date: Tue, 26 Jan 2016 23:53:39 +0100
Subject: [PATCH] Note on basic auth timing attacks in servant-server.

---
 servant-server/src/Servant/Server/Internal/Auth.hs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/servant-server/src/Servant/Server/Internal/Auth.hs b/servant-server/src/Servant/Server/Internal/Auth.hs
index fd279232..f53302c7 100644
--- a/servant-server/src/Servant/Server/Internal/Auth.hs
+++ b/servant-server/src/Servant/Server/Internal/Auth.hs
@@ -37,6 +37,10 @@ mkAuthHandler = AuthHandler
 
 -- * Basic Auth
 
+-- | servant-server's current implementation of basic authentication is not
+-- immune to certian kinds of timing attacks. Decoding payloads does not take
+-- a fixed amount of time.
+
 -- | The result of authentication/authorization
 data BasicAuthResult usr
   = Unauthorized