fix: replace deprecated scmp with crypto.timingSafeEqual (#15322)

denolfe · web-flow · commit 2511c022e6da · 2026-01-26T14:24:09.000-05:00
# Overview

Removes the deprecated `scmp` package and replaces it with Node.js's
native `crypto.timingSafeEqual()` for timing-safe password hash
comparison.

Resolves ECMS-356

## Key Changes

- **Replace scmp with crypto.timingSafeEqual**
- Added length pre-check before comparison (required since
`timingSafeEqual` throws on length mismatch, whereas `scmp` returned
false)
  
- **Remove scmp dependency**
- Eliminates deprecation warning: "scmp@2.1.0: Just use Node.js's
crypto.timingSafeEqual()"

## Design Decisions

The length pre-check (`hashBuffer.length === storedHashBuffer.length`)
preserves the original `scmp` behavior of returning false for mismatched
lengths, rather than throwing an error. This maintains backward
compatibility and security semantics.

## Overall Flow

```mermaid
sequenceDiagram
    participant Client
    participant authenticateLocalStrategy
    participant crypto

    Client-&gt;&gt;authenticateLocalStrategy: password + doc (hash, salt)
    authenticateLocalStrategy-&gt;&gt;crypto: pbkdf2(password, salt)
    crypto--&gt;&gt;authenticateLocalStrategy: hashBuffer
    authenticateLocalStrategy-&gt;&gt;authenticateLocalStrategy: Check buffer lengths match
    alt Lengths match
        authenticateLocalStrategy-&gt;&gt;crypto: timingSafeEqual(hashBuffer, storedHashBuffer)
        crypto--&gt;&gt;authenticateLocalStrategy: boolean
    else Lengths differ
        authenticateLocalStrategy--&gt;&gt;Client: null (fail fast)
    end
    authenticateLocalStrategy--&gt;&gt;Client: doc | null
```
diff --git a/packages/payload/package.json b/packages/payload/package.json
@@ -125,7 +125,6 @@
     "qs-esm": "7.0.2",
     "range-parser": "1.2.1",
     "sanitize-filename": "1.6.3",
-    "scmp": "2.1.0",
     "ts-essentials": "10.0.3",
     "tsx": "4.20.3",
     "undici": "7.18.2",
diff --git a/packages/payload/src/auth/strategies/local/authenticate.spec.ts b/packages/payload/src/auth/strategies/local/authenticate.spec.ts
@@ -0,0 +1,63 @@
+import crypto from 'crypto'
+
+import { describe, expect, it } from 'vitest'
+
+import { authenticateLocalStrategy } from './authenticate.js'
+
+// Helper to generate hash/salt like Payload does
+const generateHashAndSalt = (password: string): { hash: string; salt: string } => {
+  const salt = crypto.randomBytes(32).toString('hex')
+  const hash = crypto.pbkdf2Sync(password, salt, 25000, 512, 'sha256').toString('hex')
+  return { hash, salt }
+}
+
+describe('authenticateLocalStrategy', () => {
+  it('should return doc when password is valid', async () => {
+    const password = 'test-password'
+    const { hash, salt } = generateHashAndSalt(password)
+    const doc = { id: 1, hash, salt }
+
+    const result = await authenticateLocalStrategy({ doc, password })
+
+    expect(result).toEqual(doc)
+  })
+
+  it('should return null when password is invalid', async () => {
+    const { hash, salt } = generateHashAndSalt('correct-password')
+    const doc = { id: 1, hash, salt }
+
+    const result = await authenticateLocalStrategy({ doc, password: 'wrong-password' })
+
+    expect(result).toBeNull()
+  })
+
+  it('should return null when salt is missing', async () => {
+    const { hash } = generateHashAndSalt('test-password')
+    const doc = { id: 1, hash }
+
+    const result = await authenticateLocalStrategy({ doc, password: 'test-password' })
+
+    expect(result).toBeNull()
+  })
+
+  it('should return null when hash is missing', async () => {
+    const { salt } = generateHashAndSalt('test-password')
+    const doc = { id: 1, salt }
+
+    const result = await authenticateLocalStrategy({ doc, password: 'test-password' })
+
+    expect(result).toBeNull()
+  })
+
+  it('should return null when hash has different length (tampered)', async () => {
+    const password = 'test-password'
+    const { salt } = generateHashAndSalt(password)
+    // Truncated hash - different length than expected 512 bytes
+    const shortHash = 'abcd1234'
+    const doc = { id: 1, hash: shortHash, salt }
+
+    const result = await authenticateLocalStrategy({ doc, password })
+
+    expect(result).toBeNull()
+  })
+})
diff --git a/packages/payload/src/auth/strategies/local/authenticate.ts b/packages/payload/src/auth/strategies/local/authenticate.ts
@@ -1,7 +1,5 @@
 // @ts-strict-ignore
 import crypto from 'crypto'
-// @ts-expect-error - no types available
-import scmp from 'scmp'
 
 import type { TypeWithID } from '../../../collections/config/types.js'
 
@@ -23,7 +21,12 @@ export const authenticateLocalStrategy = async ({ doc, password }: Args): Promis
             reject(e)
           }
 
-          if (scmp(hashBuffer, Buffer.from(hash, 'hex'))) {
+          const storedHashBuffer = Buffer.from(hash, 'hex')
+
+          if (
+            hashBuffer.length === storedHashBuffer.length &&
+            crypto.timingSafeEqual(hashBuffer, storedHashBuffer)
+          ) {
             resolve(doc)
           } else {
             reject(new Error('Invalid password'))
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
