Merge 84b27f5 into b4c09b5

connectedcars · Oct 26, 2018 · 5edb3b0 · 5edb3b0
2 parents b4c09b5 + 84b27f5
commit 5edb3b0
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/sample/simpleidp/index.js b/sample/simpleidp/index.js
@@ -39,7 +39,8 @@ app.use('/api/login', (req, res) => {
   let username = req.body.username
 
   // Here we do a simple hashed password check
-  crypto.pbkdf2(password, 'salt', 100000, 64, 'sha512', (err, derivedKey) => {
+  const salt = crypto.randomBytes(16)
+  crypto.pbkdf2(password, salt, 100000, 64, 'sha512', (err, derivedKey) => {
     if (err) {
       return res.sendStatus(403)
     }
@@ -48,8 +49,9 @@ app.use('/api/login', (req, res) => {
     if (!hashedPassword) {
       return res.sendStatus(403)
     }
-
-    if (hashedPassword !== derivedKey.toString('hex')) {
+
+    let hashedPasswordBytes = Buffer.from(hashedPassword, 'hex')
+    if (!crypto.timingSafeEqual(hashedPasswordBytes, derivedKey)) {
       return res.sendStatus(403)
     }