Replace buffer-equal-constant-time with crypto.timingSafeEqual (#52)

* refactor: replace buffer-equal-constant-time with crypto.timingSafeEqual

buffer-equal-constant-time uses SlowBuffer that has been removed on Node 24

* refactor: falls back to `buffer-equal-constant-time` for older Node versions where `timingSafeEqual` is not available.

Co-authored-by: Filip Skokan <[email protected]>

---------

Co-authored-by: Filip Skokan <[email protected]>

Author: Tango992

index.js

@@ -1,4 +1,3 @@
-var bufferEqual = require('buffer-equal-constant-time');
 var Buffer = require('safe-buffer').Buffer;
 var crypto = require('crypto');
 var formatEcdsa = require('ecdsa-sig-formatter');
@@ -135,10 +134,25 @@ function createHmacSigner(bits) {
   }
 }
 
+var bufferEqual;
+var timingSafeEqual = 'timingSafeEqual' in crypto ? function timingSafeEqual(a, b) {
+  if (a.byteLength !== b.byteLength) {
+    return false;
+  }
+
+  return crypto.timingSafeEqual(a, b)
+} : function timingSafeEqual(a, b) {
+  if (!bufferEqual) {
+    bufferEqual = require('buffer-equal-constant-time');
+  }
+
+  return bufferEqual(a, b)
+}
+
 function createHmacVerifier(bits) {
   return function verify(thing, signature, secret) {
     var computedSig = createHmacSigner(bits)(thing, secret);
-    return bufferEqual(Buffer.from(signature), Buffer.from(computedSig));
+    return timingSafeEqual(Buffer.from(signature), Buffer.from(computedSig));
   }
 }
 

package.json

@@ -7,7 +7,7 @@
     "test": "test"
   },
   "dependencies": {
-    "buffer-equal-constant-time": "1.0.1",
+    "buffer-equal-constant-time": "^1.0.1",
     "ecdsa-sig-formatter": "1.0.11",
     "safe-buffer": "^5.0.1"
   },