From: Justin Wind <justin.wind+git@gmail.com>
Date: Sat, 25 Jan 2025 22:49:25 +0000 (-0800)
Subject: use timingSafeEqual comparison for plain password check
X-Git-Tag: v1.5.1~2
X-Git-Url: https://git.squeep.com/?a=commitdiff_plain;h=9626f54ed7b3a4a33de3e07a6ca0d77e894ba670;p=squeep-authentication-module

use timingSafeEqual comparison for plain password check
---

diff --git a/lib/authenticator.js b/lib/authenticator.js
index 7b61cf4..ff26d6b 100644
--- a/lib/authenticator.js
+++ b/lib/authenticator.js
@@ -5,6 +5,7 @@ const Enum = require('./enum');
 const Errors = require('./errors');
 const { MysteryBox } = require('@squeep/mystery-box');
 const { TOTP } = require('@squeep/totp');
+const { timingSafeEqual } = require('node:crypto');
 const { name: packageName } = require('../package');
 
 const _fileScope = common.fileScope(__filename);
@@ -236,7 +237,9 @@ class Authenticator {
    * @returns {Promise<boolean>} is valid
    */
   static _isValidPlainIdentifier(authData, credential) {
-    return authData.credential.substring('$plain$'.length) === credential;
+    const authBuf = Buffer.from(authData.credential.substring('$plain$'.length));
+    const credBuf = Buffer.from(credential);
+    return (authBuf.length === credBuf.length) && timingSafeEqual(authBuf, credBuf);
   }