From 6f513db94bcd8f45e568d92ac725a898d610e9ef Mon Sep 17 00:00:00 2001
From: Sam Hadow <sam.hadow@inbox.lv>
Date: Fri, 28 Mar 2025 08:22:34 +0100
Subject: [PATCH] constant time shared secret check

---
 src/authentication.js | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/authentication.js b/src/authentication.js
index 81e372e..2317268 100644
--- a/src/authentication.js
+++ b/src/authentication.js
@@ -1,11 +1,22 @@
 const { subtle } = require('node:crypto').webcrypto;
 const stringutils = require("./stringutils");
+const crypto = require('crypto');
 
 const sharedSecret = process.env.SHARED_SECRET;
 
 const authentication = {
     checkSharedSecret: (providedSecret) => {
-        return sharedSecret === providedSecret;
+        const sharedSecretBuffer = Buffer.from(sharedSecret);
+        const providedSecretBuffer = Buffer.from(providedSecret);
+
+        const length = Math.max(sharedSecretBuffer.length, providedSecretBuffer.length);
+        const paddedSharedSecret = Buffer.alloc(length, 0);
+        const paddedProvidedSecret = Buffer.alloc(length, 0);
+
+        sharedSecretBuffer.copy(paddedSharedSecret);
+        providedSecretBuffer.copy(paddedProvidedSecret);
+
+        return crypto.timingSafeEqual(paddedSharedSecret, paddedProvidedSecret);
     },
     verifySignature : async (msg, sig, publicKeys) => {
         try {