Update comparison to timing safe (#1535)

homebridge · Sep 24, 2023 · b726b14 · b726b14
1 parent 7fb6d29
commit b726b14
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/src/core/auth/auth.service.ts b/src/core/auth/auth.service.ts
@@ -95,9 +95,11 @@ export class AuthService {
    * This will throw an error if the credentials are incorrect.
    */
   private async checkPassword(user: UserDto, password: string) {
-    const hashedPassword = await this.hashPassword(password, user.salt);
+    const passwordAttemptHash = await this.hashPassword(password, user.salt);
+    const passwordAttemptHashBuff = Buffer.from(passwordAttemptHash, 'hex');
+    const knownPasswordHashBuff = Buffer.from(user.hashedPassword, 'hex');
 
-    if (hashedPassword === user.hashedPassword) {
+    if (crypto.timingSafeEqual(passwordAttemptHashBuff, knownPasswordHashBuff)) {
       return user;
     } else {
       throw new ForbiddenException();