Code Room
Code reviewHard
Question
Review this Go API-key middleware that already uses a constant-time comparison.
What a strong answer looks like
Separate real bugs from style. Rank issues by severity, point at the root cause rather than the symptom, and suggest a concrete fix — specific and kind.
Learn the concepts
// keyStore maps an 8-char key prefix to the full expected key.var keyStore map[string]string func validKey(provided string) bool { expected, ok := keyStore[provided[:8]] if !ok { return false } return subtle.ConstantTimeCompare([]byte(provided), []byte(expected)) == 1} func authMiddleware(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { key := r.Header.Get("X-Api-Key") if !validKey(key) { http.Error(w, "forbidden", 403) return } next.ServeHTTP(w, r) })}Run or narrate your approach, then ask the coach.