linkRace
commented
7 years ago Looks solid to me, will be rolling this and others into a 1.5.0 soon.
Closed suryagh closed 7 years ago
linkRace
commented
7 years ago Looks solid to me, will be rolling this and others into a 1.5.0 soon.
grawk
commented
7 years ago Might we prefer using the tsscmp module to avoid the additional util and test file?
linkRace
commented
7 years ago @suryagh thoughts on tsscmp?
suryagh
commented
7 years ago @linkRace sounds good to me. I can update the PR.
suryagh
commented
7 years ago @linkRace @grawk updated to use tsscmp
linkRace
commented
7 years ago @grawk @indutny one more now that it's using tsscmp?
Tokens are compared using normal strict-equal-to, this approach is vulnerable to timing attacks.
Node cannot perform constant-time-string comparison according to relative recent discussion by node core team and the recommendation is to use double HMAC comparison.
Fix: follows similar approach used in the latest version of node
P.S. In case if you want to extract to an external module, there is a npm module tsscmp