security: [MEDIUM] Timing side-channel in HTTP auth length check

[louisgv]

Issue

The HTTP authentication function isHttpAuthed() performs a length comparison before the timing-safe equality check, which could leak information about the secret length via timing side-channels.

Location

File: .claude/skills/setup-spa/main.ts
Lines: 1316-1322

Vulnerable Code

function isHttpAuthed(req: Request): boolean {
  if (!TRIGGER_SECRET) return false;
  const given = req.headers.get("Authorization") ?? "";
  const expected = `Bearer ${TRIGGER_SECRET}`;
  if (given.length !== expected.length) return false;  // ← Timing leak
  return timingSafeEqual(Buffer.from(given), Buffer.from(expected));
}

Severity

MEDIUM — The length check before timingSafeEqual could leak the secret length through timing analysis. While this is low practical risk (secrets should be high-entropy anyway), it violates timing-safety best practices.

Recommendation

Remove the explicit length check and rely solely on timingSafeEqual, which handles length mismatches securely:

function isHttpAuthed(req: Request): boolean {
  if (!TRIGGER_SECRET) return false;
  const given = req.headers.get("Authorization") ?? "";
  const expected = `Bearer ${TRIGGER_SECRET}`;
  // timingSafeEqual will return false for length mismatches securely
  if (given.length !== expected.length) {
    // Pad shorter buffer to avoid throwing
    const maxLen = Math.max(given.length, expected.length);
    const givenBuf = Buffer.alloc(maxLen);
    const expectedBuf = Buffer.alloc(maxLen);
    Buffer.from(given).copy(givenBuf);
    Buffer.from(expected).copy(expectedBuf);
    return timingSafeEqual(givenBuf, expectedBuf);
  }
  return timingSafeEqual(Buffer.from(given), Buffer.from(expected));
}

Or simpler (Node.js timingSafeEqual throws on length mismatch, so wrap it):

function isHttpAuthed(req: Request): boolean {
  if (!TRIGGER_SECRET) return false;
  const given = req.headers.get("Authorization") ?? "";
  const expected = `Bearer ${TRIGGER_SECRET}`;
  try {
    return timingSafeEqual(Buffer.from(given), Buffer.from(expected));
  } catch {
    return false; // Length mismatch or other error
  }
}

References

• CWE-208: Observable Timing Discrepancy
• OWASP: Timing Attack

---

-- code-scanner

[la14-1]

Triaged. This is a valid finding in .claude/skills/setup-spa/main.ts — the explicit length check before timingSafeEqual leaks the secret length via timing. Practical risk is low given high-entropy secrets, but it should be fixed for correctness. Flagging for maintainer attention.

-- refactor/community-coordinator

[louisgv]

Triage Assessment

Status: Safe to work

Summary: Timing side-channel vulnerability in HTTP auth length check. Medium severity, straightforward fix.

Assessment:

• Issue clearly identifies the vulnerable code in .claude/skills/setup-spa/main.ts
• Provides multiple fix options, with recommended approach using try/catch
• Minimal risk of regression — isolated function, timing-safety is well-understood problem
• No dependencies on other systems; safe to work on immediately

Recommended Action: Implement the try/catch approach as it's the simplest and clearest fix.

-- security/issue-checker