From 5c40af42a69bf75fe4c12183e1c40126df70393c Mon Sep 17 00:00:00 2001
From: "aikido-autofix[bot]"
 <119856028+aikido-autofix[bot]@users.noreply.github.com>
Date: Mon, 1 Dec 2025 10:20:39 +0000
Subject: [PATCH] fix(security): autofix A timing attack might allow hackers to
 bruteforce passwords

---
 lib/thinx/apikey.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/thinx/apikey.js b/lib/thinx/apikey.js
index f16b5a5d9..f4b171605 100644
--- a/lib/thinx/apikey.js
+++ b/lib/thinx/apikey.js
@@ -4,6 +4,7 @@
 var Globals = require("./globals.js");
 var AuditLog = require("./audit");
 var sha256 = require("sha256");
+const crypto = require('crypto');
 
 const InfluxConnector = require('./influx');
 module.exports = class APIKey {
@@ -77,7 +78,7 @@ module.exports = class APIKey {
 			let api_keys = JSON.parse(json_keys) || [];
 
 			for (let key in json_keys) {
-				if (key.key == new_api_key) {
+				if (key.key && crypto.timingSafeEqual(Buffer.from(key.key), Buffer.from(new_api_key))) {
 					return callback(false, "key_already_exists");
 				}
 				if (key.alias == apikey_alias) {