Improve protect against timing attacks

Author: zigazajc007

src/admin/helpers.ts

@@ -28,7 +28,10 @@ export function adminBearerAuth() {
 			if (!config.adminAPI.enabled) return false;
 
 			const expected = config.adminAPI.token;
-			if (token.length !== expected.length) return false;
+
+			if (token.length !== expected.length) {
+				return !crypto.timingSafeEqual(Buffer.from(token), Buffer.from(token));
+			}
 
 			return crypto.timingSafeEqual(Buffer.from(token), Buffer.from(expected));
 		},

src/cache.ts

@@ -378,7 +378,10 @@ class CacheManager {
 			return true;
 		}
 
-		if (providedPassword.length !== statusPage.hashedPassword!.length) return false;
+		if (providedPassword.length !== statusPage.hashedPassword!.length) {
+			return !crypto.timingSafeEqual(Buffer.from(providedPassword), Buffer.from(providedPassword));
+		}
+
 		return crypto.timingSafeEqual(Buffer.from(providedPassword), Buffer.from(statusPage.hashedPassword!));
 	}
 

src/routes/helpers.ts

@@ -19,7 +19,11 @@ export function statusPageBearerAuth() {
 			const slug = ctx.params["slug"]!;
 			const statusPage: StatusPage | undefined = cache.getStatusPageBySlug(slug);
 			if (!statusPage) return false;
-			if (token.length !== statusPage.hashedPassword!.length) return false;
+
+			if (token.length !== statusPage.hashedPassword!.length) {
+				return !crypto.timingSafeEqual(Buffer.from(token), Buffer.from(token));
+			}
+
 			return crypto.timingSafeEqual(Buffer.from(token), Buffer.from(statusPage.hashedPassword!));
 		},
 	});