#### Arréglalo con `secrets.compare_digest()` { #fix-it-with-secrets-compare-digest }

Pero en nuestro código estamos usando realmente `secrets.compare_digest()`.

 * create the memory pressure required to cause soft references to be cleared.
 *
 * <p>This class only provides testing utilities. It is not designed for direct use in production or
 * for benchmarking.
 *
 * @author mike nonemacher
 * @author Martin Buchholz
 * @since 11.0
 */
@GwtIncompatible
@J2ktIncompatible
@J2ObjCIncompatible // gc
@NullMarked

     | Specifies a repository mirror site to use instead of a given repository. The repository that
     | this mirror serves has an ID that matches the mirrorOf element of this mirror. IDs are used
     | for inheritance and direct lookup purposes, and must be unique across the set of mirrors.
     |
    <mirror>
      <id>mirrorId</id>
      <mirrorOf>repositoryId</mirrorOf>
      <name>Human Readable Name for this Mirror.</name>

 * intended for use in Internationalized Domain Names (IDNs).
 *
 * This class contains a Kotlin implementation of the pseudocode specified by RFC 3492. It includes
 * direct translation of the pseudocode presented there.
 *
 * Partner this class with [UTS #46] to implement IDNA2008 [RFC 5890] like most browsers do.
 *
 * [RFC 3492]: https://datatracker.ietf.org/doc/html/rfc3492

 * are inherently approximate, routinely affected by periodic clock corrections. Because this class
 * (by default) uses {@link System#nanoTime}, it is unaffected by these changes.
 *
 * <p>Use this class instead of direct calls to {@link System#nanoTime} for two reasons:
 *
 * <ul>
 *   <li>The raw {@code long} values returned by {@code nanoTime} are meaningless and unsafe to use
 *       in any other way than how {@code Stopwatch} uses them.

* `apiKey`: 다음에서 전달될 수 있는 애플리케이션 전용 키:
    * 쿼리 파라미터
    * 헤더
    * 쿠키
* `http`: 표준 HTTP 인증 시스템, 예:
    * `bearer`: `Authorization` 헤더에 `Bearer ` + 토큰 값을 넣는 방식. OAuth2에서 유래했습니다.
    * HTTP Basic 인증
    * HTTP Digest 등
* `oauth2`: 보안을 처리하는 모든 OAuth2 방식(이를 "flow"라고 부릅니다).
    * 이 flow들 중 여러 개는 OAuth 2.0 인증 제공자(예: Google, Facebook, X (Twitter), GitHub 등)를 구축하는 데 적합합니다:
        * `implicit`
        * `clientCredentials`

#### 「專業」的攻擊 { #a-professional-attack }

當然，攻擊者不會手動嘗試這一切，他們會寫程式來做，可能每秒進行上千或上百萬次測試，一次只多猜中一個正確字母。

但這樣做，幾分鐘或幾小時內，他們就能在我們應用程式「協助」下，僅靠回應時間就猜出正確的使用者名稱與密碼。

#### 用 `secrets.compare_digest()` 修正 { #fix-it-with-secrets-compare-digest }

但在我們的程式碼中實際使用的是 `secrets.compare_digest()`。

簡而言之，將 `stanleyjobsox` 與 `stanleyjobson` 比較所花的時間，會與將 `johndoe` 與 `stanleyjobson` 比較所花的時間相同；密碼也一樣。

如此一來，在應用程式程式碼中使用 `secrets.compare_digest()`，就能安全地防禦這整類的安全攻擊。

            public static final String DEFAULT_LANG = "default.lang";
            public static final String DEFAULT_CONTENT = "default.content";
            public static final String DEFAULT_DIGEST = "default.digest";
            // xapth.<field>=<value>
        }

        // config.*
        public static class Config {
            public static final String KEEP_ORIGINAL_BODY = "keep.original.body";

      },
      "timestamp": {
        "type": "date",
        "format": "date_optional_time"
      },
      "expires": {
        "type": "date",
        "format": "date_optional_time"
      },
      "digest": {
        "type": "text",
        "index": false
      },
      "doc_id": {
        "type": "keyword"
      },
      "favorite_count": {
        "type": "long"
      },
      "filename": {

#### Fix it with `secrets.compare_digest()` { #fix-it-with-secrets-compare-digest }

But in our code we are actually using `secrets.compare_digest()`.