From ee04fbbe3a90e7afea8cad56fad79f53fb1311d2 Mon Sep 17 00:00:00 2001
From: aaron levin <aaron.levin@soundcloud.com>
Date: Tue, 26 Jan 2016 23:50:26 +0100
Subject: [PATCH] Include note about basic auth timing attacks

---
 servant/src/Servant/API/Auth.hs | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/servant/src/Servant/API/Auth.hs b/servant/src/Servant/API/Auth.hs
index 5aa2638c..4c9cb349 100644
--- a/servant/src/Servant/API/Auth.hs
+++ b/servant/src/Servant/API/Auth.hs
@@ -13,7 +13,9 @@ import           GHC.TypeLits  (Symbol)
 --
 -- *IMPORTANT*: Only use Basic Auth over HTTPS! Credentials are not hashed or
 -- encrypted. Note also that because the same credentials are sent on every
--- request, Basic Auth is not as secure as some alternatives.
+-- request, Basic Auth is not as secure as some alternatives. Further, the
+-- implementation in servant-server does not protect against some types of
+-- timing attacks.
 --
 -- In Basic Auth, username and password are base64-encoded and transmitted via
 -- the @Authorization@ header. Handshakes are not required, making it
@@ -26,6 +28,7 @@ data BasicAuthData = BasicAuthData { basicAuthUsername :: !ByteString
                                    , basicAuthPassword :: !ByteString
                                    }
 
--- | A generalized Authentication combinator.
+-- | A generalized Authentication combinator. Use this if you have a
+-- non-standard authentication technique.
 data AuthProtect (tag :: k)
   deriving (Typeable)