Skip to content

Commit 9b5de22

Browse files
use timing sage equal for authentication
1 parent a27e0ec commit 9b5de22

File tree

1 file changed

+11
-3
lines changed

1 file changed

+11
-3
lines changed

apps/authproxy/routes/accounts.ts

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,5 @@
1+
import * as crypto from "node:crypto";
2+
13
import {
24
HttpApi,
35
HttpApiBuilder,
@@ -312,14 +314,20 @@ const AccountsGroupLive = HttpApiBuilder.group(AccountsApi, "AccountsGroup", (ha
312314
export const AuthorizationLive = Layer.effect(
313315
Authorization,
314316
Effect.gen(function* () {
315-
const adminUsername = yield* Config.string("ADMIN_USERNAME");
317+
const adminUsername = yield* Config.redacted("ADMIN_USERNAME");
316318
const adminPassword = yield* Config.redacted("ADMIN_PASSWORD");
317319

318320
return {
319321
basic: (credentials) => {
320322
if (
321-
credentials.username !== adminUsername ||
322-
Redacted.value(credentials.password) !== Redacted.value(adminPassword)
323+
!crypto.timingSafeEqual(
324+
Buffer.from(credentials.username),
325+
Buffer.from(Redacted.value(adminUsername))
326+
) ||
327+
!crypto.timingSafeEqual(
328+
Buffer.from(Redacted.value(credentials.password)),
329+
Buffer.from(Redacted.value(adminPassword))
330+
)
323331
) {
324332
return Effect.fail(new HttpApiError.Unauthorized());
325333
}

0 commit comments

Comments
 (0)