csrf http2 token validation fails while http1 passes

krakenjs / lusca

Application security for express apps.

Other

1.79k stars 139 forks source link

csrf http2 token validation fails while http1 passes #117

Closed avoidwork closed 6 years ago

avoidwork commented 6 years ago

hi,

the timeSafeCompare() function appears to fail for http2 requests, while http1 works fine. my env is running node 9.4.0, and my tests for the 2 protocols are equal.

http1 input: screen shot 2018-01-16 at 7 32 09 am

http2 input: screen shot 2018-01-16 at 7 32 31 am

the nodejs 9.4 changelog doesn't mention any crypto changes, so i'm confused: https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V9.md#9.4.0

avoidwork commented 6 years ago

maybe this is related to #43?

avoidwork commented 6 years ago

nm, pebcak (cookie is missing).