Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update password comparison to timing safe #1535

Merged
merged 8 commits into from
Sep 24, 2023
Merged

Update password comparison to timing safe #1535

merged 8 commits into from
Sep 24, 2023

Conversation

BlenderDude
Copy link
Contributor

♻️ Current situation

Current password check code allows for the hash to be guessed utilizing a timing attack.

💡 Proposed solution

Simple update to the password check function that utilizes crypto.timingSafeEqual such that comparisons are always the same time.

⚙️ Release Notes

Increased password security with timing safe comparison

Testing

Testing should be covered by existing cases in auth.e2e-spec.ts

@bwp91 bwp91 changed the base branch from master to beta-4.50.6 September 18, 2023 19:11
@bwp91
Copy link
Contributor

bwp91 commented Sep 18, 2023

Hi @BlenderDude
Thanks for your time on this PR.

Can you explain the changes in laymans terms?

I guess this would not result in any difference in behaviour for a standard user logging in?

@coveralls
Copy link

coveralls commented Sep 18, 2023
edited
Loading

Pull Request Test Coverage Report for Build 6226959456

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • 22 unchanged lines in 1 file lost coverage.
  • Overall coverage increased (+0.4%) to 43.833%
Files with Coverage Reduction New Missed Lines %
src/core/auth/auth.service.ts 22 80.09%
Totals Coverage Status
Change from base Build 6226816346: 0.4%
Covered Lines: 2126
Relevant Lines: 4509
💛 - Coveralls

@donavanbecker donavanbecker enabled auto-merge (squash) September 24, 2023 15:31
@donavanbecker donavanbecker merged commit b726b14 into homebridge:beta-4.50.6 Sep 24, 2023
5 checks passed
@donavanbecker donavanbecker mentioned this pull request Sep 27, 2023
Merged
donavanbecker added a commit that referenced this pull request Sep 28, 2023
@bwp91 @dnicolson
@donavanbecker @SamuelMagano @NorthernMan54 @BlenderDude
beta -> main (#1546)
5cc7065 
## 4.50.6 (2023-09-27)

### Bug Fixes

- **System:** Update comparison to timing safe ([1535](#1535))

### Other Changes

- **i18n:** Update pt.json ([1503](#1520))
- **i18n:** Use verb form for buttons and menu items ([1533](#1533))
- **i18n:** Wait for custom UI ([1526](#1526))
- Updated npm dependencies

---------

Co-authored-by: Dave Nicolson <[email protected]>
Co-authored-by: Donavan Becker <[email protected]>
Co-authored-by: SamuelMagano <[email protected]>
Co-authored-by: Northern Man <[email protected]>
Co-authored-by: Daniel Abdelsamed <[email protected]>
Co-authored-by: Donavan Becker <[email protected]>
@donavanbecker donavanbecker mentioned this pull request Sep 28, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@donavanbecker donavanbecker donavanbecker approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@BlenderDude @bwp91 @coveralls @donavanbecker