use timingSafeEqual comparison for plain password check

diff --git a/lib/authenticator.js b/lib/authenticator.js
index 7b61cf4610b322102b9eaa3b747ae95e24690023..ff26d6b11d3ea99188e6a84b606ad6a417a2eb48 100644 (file)
--- a/lib/authenticator.js
+++ b/lib/authenticator.js
@@ -5,6 +5,7 @@ const Enum = require('./enum');
 const Errors = require('./errors');
 const { MysteryBox } = require('@squeep/mystery-box');
 const { TOTP } = require('@squeep/totp');
+const { timingSafeEqual } = require('node:crypto');
 const { name: packageName } = require('../package');
 
 const _fileScope = common.fileScope(__filename);
@@ -236,7 +237,9 @@ class Authenticator {
    * @returns {Promise<boolean>} is valid
    */
   static _isValidPlainIdentifier(authData, credential) {
-    return authData.credential.substring('$plain$'.length) === credential;
+    const authBuf = Buffer.from(authData.credential.substring('$plain$'.length));
+    const credBuf = Buffer.from(credential);
+    return (authBuf.length === credBuf.length) && timingSafeEqual(authBuf, credBuf);
   }