Hynes/Void-Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): constant-time owner-token comparison

Browse Source 
Owner bearer token was compared with === / !==, which short-circuits on the
first differing byte and leaks token length+prefix via response timing
(security-sweep-2026-06-01.md). New timingSafeStrEqual (crypto.timingSafeEqual
with a length pre-check so it never throws on length mismatch); wired into both
owner.js and agent_auth.js.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
root
2026-06-01 23:26:46 +10:00
parent c591b2aed1
commit 459a7749c9
4 changed files with 56 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
lib/api/middleware/agent_auth.js
View File

@@ -1,4 +1,5 @@
import * as agents from '../../db/repos/agents.js';
import { timingSafeStrEqual } from '../../auth/safe_compare.js';
export async function agentOrOwner(req, res, next) {
const expectedOwner = process.env.OWNER_TOKEN;
@@ -12,7 +13,7 @@ export async function agentOrOwner(req, res, next) {
if (scheme !== 'Bearer' || !token) {
return res.status(401).json({ error: { code: 'unauthorized', message: 'missing bearer token' } });
}
if (token === expectedOwner) {
if (timingSafeStrEqual(token, expectedOwner)) {
req.actor = { kind: 'user', id: null };
return next();
}