feat: add timing safe equal comparison

UlisesGascon · blakeembrey · UlisesGascon · commit bac1e6a8530e · 2024-09-30T11:59:46.000+02:00
* chore: add tsscmp@1.0.6 as dependency
* feat: add timing safe equal comparison

Co-authored-by: Blake Embrey &lt;hello@blakeembrey.com&gt;
diff --git a/index.js b/index.js
@@ -1,3 +1,4 @@
+var timingSafeCompare = require('tsscmp');
 var http = require('http');
 
 /*!
@@ -53,7 +54,9 @@ module.exports = function basicAuth(callback, realm) {
     if ('string' != typeof password) throw new Error('password argument required');
     realm = arguments[2];
     callback = function(user, pass){
-      return user == username && pass == password;
+      const usernameValid = timingSafeCompare(user, username);
+      const passwordValid = timingSafeCompare(pass, password);
+      return usernameValid && passwordValid;
     }
   }
 
diff --git a/package.json b/package.json
@@ -18,12 +18,15 @@
     "url": "https://github.com/expressjs/basic-auth-connect/issues"
   },
   "devDependencies": {
+    "connect": "*",
     "mocha": "*",
     "should": "*",
-    "supertest": "*",
-    "connect": "*"
+    "supertest": "*"
   },
   "scripts": {
     "test": "make test"
+  },
+  "dependencies": {
+    "tsscmp": "^1.0.6"
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+var timingSafeCompare = require('tsscmp');`
`1`	`2`	`var http = require('http');`
`2`	`3`
`3`	`4`	`/*!`
`@@ -53,7 +54,9 @@ module.exports = function basicAuth(callback, realm) {`
`53`	`54`	`if ('string' != typeof password) throw new Error('password argument required');`
`54`	`55`	`realm = arguments[2];`
`55`	`56`	`callback = function(user, pass){`
`56`		`- return user == username && pass == password;`
	`57`	`+ const usernameValid = timingSafeCompare(user, username);`
	`58`	`+ const passwordValid = timingSafeCompare(pass, password);`
	`59`	`+ return usernameValid && passwordValid;`
`57`	`60`	`}`
`58`	`61`	`}`
`59`	`62`