Skip to content

Commit

Permalink
Update comparison to timing safe (#1535)
Browse files Browse the repository at this point in the history
  • Loading branch information
BlenderDude authored Sep 24, 2023
1 parent 7fb6d29 commit b726b14
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions src/core/auth/auth.service.ts
Original file line number Diff line number Diff line change
Expand Up @@ -95,9 +95,11 @@ export class AuthService {
* This will throw an error if the credentials are incorrect.
*/
private async checkPassword(user: UserDto, password: string) {
const hashedPassword = await this.hashPassword(password, user.salt);
const passwordAttemptHash = await this.hashPassword(password, user.salt);
const passwordAttemptHashBuff = Buffer.from(passwordAttemptHash, 'hex');
const knownPasswordHashBuff = Buffer.from(user.hashedPassword, 'hex');

if (hashedPassword === user.hashedPassword) {
if (crypto.timingSafeEqual(passwordAttemptHashBuff, knownPasswordHashBuff)) {
return user;
} else {
throw new ForbiddenException();
Expand Down

0 comments on commit b726b14

Please sign in to comment.