From b726b14507d39239f060a1ff240c1cb698202e6d Mon Sep 17 00:00:00 2001 From: Daniel Abdelsamed Date: Sun, 24 Sep 2023 11:52:22 -0400 Subject: [PATCH] Update comparison to timing safe (#1535) --- src/core/auth/auth.service.ts | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/core/auth/auth.service.ts b/src/core/auth/auth.service.ts index 635a8c22c..e33ef90cd 100644 --- a/src/core/auth/auth.service.ts +++ b/src/core/auth/auth.service.ts @@ -95,9 +95,11 @@ export class AuthService { * This will throw an error if the credentials are incorrect. */ private async checkPassword(user: UserDto, password: string) { - const hashedPassword = await this.hashPassword(password, user.salt); + const passwordAttemptHash = await this.hashPassword(password, user.salt); + const passwordAttemptHashBuff = Buffer.from(passwordAttemptHash, 'hex'); + const knownPasswordHashBuff = Buffer.from(user.hashedPassword, 'hex'); - if (hashedPassword === user.hashedPassword) { + if (crypto.timingSafeEqual(passwordAttemptHashBuff, knownPasswordHashBuff)) { return user; } else { throw new ForbiddenException();