Use crypto.timingSafeEqual() instead of secure-compare module (#40)

* Use crypto.timingSafeEqual() * Just try/catch Node core api
fastify · May 28, 2020 · 39353b1 · 39353b1
1 parent 146f88c
commit 39353b1
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 3 deletions.
diff --git a/package.json b/package.json
@@ -37,8 +37,7 @@
     "tsd": "^0.11.0"
   },
   "dependencies": {
-    "fastify-plugin": "^2.0.0",
-    "secure-compare": "^3.0.1"
+    "fastify-plugin": "^2.0.0"
   },
   "tsd": {
     "directory": "test",

diff --git a/plugin.js b/plugin.js
@@ -1,7 +1,7 @@
 'use strict'
 
+const crypto = require('crypto')
 const fp = require('fastify-plugin')
-const compare = require('secure-compare')
 
 function factory (options) {
   const defaultOptions = {
@@ -80,6 +80,16 @@ function authenticate (keys, key) {
   return keys.findIndex((a) => compare(a, key)) !== -1
 }
 
+// perform constant-time comparison to prevent timing attacks
+function compare (a, b) {
+  try {
+    // may throw if they have different length, can't convert to Buffer, etc...
+    return crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b))
+  } catch {
+    return false
+  }
+}
+
 function plugin (fastify, options, next) {
   fastify.addHook('onRequest', factory(options))
   next()