Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 5 additions & 7 deletions src/app/api/auth/backfill-dids/route.ts
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,9 @@
*/

import { NextRequest, NextResponse } from "next/server";
import { timingSafeEqual } from "crypto";
import { createServiceClient } from "@/lib/supabase/service";
import { generateAndStoreDid } from "@/lib/auth/did";

function safeCompare(a: string, b: string): boolean {
if (a.length !== b.length) return false;
return timingSafeEqual(Buffer.from(a), Buffer.from(b));
}
import { timingSafeStringEqual } from "@/lib/security/constant-time";

export async function POST(request: NextRequest) {
const authHeader = request.headers.get("authorization") || "";
Expand All @@ -24,7 +19,10 @@ export async function POST(request: NextRequest) {
return NextResponse.json({ error: "Server misconfiguration" }, { status: 500 });
}

if (!safeCompare(authHeader, `Bearer ${secret}`) && !safeCompare(authHeader, secret)) {
if (
!timingSafeStringEqual(authHeader, `Bearer ${secret}`) &&
!timingSafeStringEqual(authHeader, secret)
) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}

Expand Down
5 changes: 5 additions & 0 deletions src/app/api/auth/confirmed/route.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,11 @@ describe("POST /api/auth/confirmed", () => {
expect(res.status).toBe(401);
});

it("rejects Unicode secrets with mismatched byte lengths", async () => {
const res = await POST(makeRequest(confirmationPayload(), "éest-webhook-secret"));
expect(res.status).toBe(401);
});

it("returns 500 when AUTH_WEBHOOK_SECRET is not configured", async () => {
delete process.env.AUTH_WEBHOOK_SECRET;
const res = await POST(makeRequest(confirmationPayload(), null));
Expand Down
12 changes: 5 additions & 7 deletions src/app/api/auth/confirmed/route.ts
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,13 @@
*/

import { NextRequest, NextResponse } from "next/server";
import { timingSafeEqual } from "crypto";
import { createClient } from "@/lib/supabase/server";
import { createServiceClient } from "@/lib/supabase/service";
import { sendEmail, welcomeEmail } from "@/lib/email";
import { generateAndStoreDid } from "@/lib/auth/did";
import { createUserLnWallet } from "@/lib/lightning/create-wallet";
import { safeParseBody } from "@/lib/sanitize";
import { timingSafeStringEqual } from "@/lib/security/constant-time";

type AuthWebhookPayload = {
type?: string;
Expand All @@ -33,11 +33,6 @@ type AuthWebhookPayload = {
};
};

function safeCompare(a: string, b: string): boolean {
if (a.length !== b.length) return false;
return timingSafeEqual(Buffer.from(a), Buffer.from(b));
}

export async function POST(request: NextRequest) {
try {
// Verify the webhook secret to prevent unauthorized calls
Expand All @@ -49,7 +44,10 @@ export async function POST(request: NextRequest) {
return NextResponse.json({ error: "Server misconfiguration" }, { status: 500 });
}

if (!safeCompare(authHeader, `Bearer ${webhookSecret}`) && !safeCompare(authHeader, webhookSecret)) {
if (
!timingSafeStringEqual(authHeader, `Bearer ${webhookSecret}`) &&
!timingSafeStringEqual(authHeader, webhookSecret)
) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}

Expand Down
13 changes: 13 additions & 0 deletions src/lib/security/constant-time.test.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
import { describe, expect, it } from "vitest";
import { timingSafeStringEqual } from "./constant-time";

describe("timingSafeStringEqual", () => {
it("compares equal and unequal ASCII strings", () => {
expect(timingSafeStringEqual("secret", "secret")).toBe(true);
expect(timingSafeStringEqual("secret", "public")).toBe(false);
});

it("rejects strings with equal character length but unequal byte length", () => {
expect(timingSafeStringEqual("é", "a")).toBe(false);
});
});
7 changes: 7 additions & 0 deletions src/lib/security/constant-time.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
import { timingSafeEqual } from "crypto";

export function timingSafeStringEqual(a: string, b: string): boolean {
const aBytes = Buffer.from(a);
const bBytes = Buffer.from(b);
return aBytes.length === bBytes.length && timingSafeEqual(aBytes, bBytes);
}
Loading