fix: use timing-safe string comparison (#7)

Resolves #6
compwright · Oct 1, 2023 · af84da9 · af84da9
1 parent 78e3768
commit af84da9
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/src/XHubSignature.js b/src/XHubSignature.js
@@ -1,5 +1,7 @@
 import crypto from 'crypto'
 
+let encoder = new TextEncoder()
+
 export default class XHubSignature {
   #algorithm = null
   #secret = null
@@ -24,6 +26,12 @@ export default class XHubSignature {
   }
 
   verify (expectedSignature, requestBody) {
-    return expectedSignature === this.sign(requestBody)
+    const expected = encoder.encode(expectedSignature)
+    const actualSignature = this.sign(requestBody)
+    const actual = encoder.encode(signature)
+    if (expected.length !== actual.length) {
+      return false
+    }
+    return crypto.timingSafeEqual(expected, actual)
   }
 }