Code Room
Code reviewHardcr-g447
Subject Auth bypassLevel Senior–Staff~22 minCommon in Security interviewsIndustries Software development

Question

Review this Go API-key middleware that already uses a constant-time comparison.

What a strong answer looks like

Separate real bugs from style. Rank issues by severity, point at the root cause rather than the symptom, and suggest a concrete fix — specific and kind.

Talk through your review
Code to reviewgo
// keyStore maps an 8-char key prefix to the full expected key.var keyStore map[string]string func validKey(provided string) bool {	expected, ok := keyStore[provided[:8]]	if !ok {		return false	}	return subtle.ConstantTimeCompare([]byte(provided), []byte(expected)) == 1} func authMiddleware(next http.Handler) http.Handler {	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {		key := r.Header.Get("X-Api-Key")		if !validKey(key) {			http.Error(w, "forbidden", 403)			return		}		next.ServeHTTP(w, r)	})}
Run or narrate your approach, then ask the coach.