refactor(auth): enhance randomJitter function for cryptographic security (#1295)

sandros94 · web-flow · commit 8312559c693c · 2026-02-06T00:08:43.000+01:00
diff --git a/src/utils/internal/auth.ts b/src/utils/internal/auth.ts
@@ -21,9 +21,12 @@ export function timingSafeEqual(a: string, b: string): boolean {
 }
 
 /**
- * Add random delay (0-100ms) to prevent timing-based credential inference.
+ * Add random delay (0-99ms) to prevent timing-based credential inference.
  */
 export function randomJitter(): Promise<void> {
-  const jitter = Math.floor(Math.random() * 100);
+  const randomBuffer = new Uint32Array(1);
+  crypto.getRandomValues(randomBuffer);
+  const jitter = randomBuffer[0] % 100;
+
   return new Promise((resolve) => setTimeout(resolve, jitter));
 }

Original file line number	Diff line number	Diff line change
`@@ -21,9 +21,12 @@ export function timingSafeEqual(a: string, b: string): boolean {`
`21`	`21`	`}`
`22`	`22`
`23`	`23`	`/**`
`24`		`- * Add random delay (0-100ms) to prevent timing-based credential inference.`
	`24`	`+ * Add random delay (0-99ms) to prevent timing-based credential inference.`
`25`	`25`	`*/`
`26`	`26`	`export function randomJitter(): Promise<void> {`
`27`		`- const jitter = Math.floor(Math.random() * 100);`
	`27`	`+ const randomBuffer = new Uint32Array(1);`
	`28`	`+ crypto.getRandomValues(randomBuffer);`
	`29`	`+ const jitter = randomBuffer[0] % 100;`
	`30`	`+`
`28`	`31`	`return new Promise((resolve) => setTimeout(resolve, jitter));`
`29`	`32`	`}`