docs: add references about why we use crypto.timingSafeEqual (#525)

gr2m · web-flow · commit 9205ade00ed0 · 2021-04-01T19:38:39.000-04:00
diff --git a/src/verify/index.ts b/src/verify/index.ts
@@ -28,5 +28,8 @@ export function verify(
     return false;
   }
 
+  // constant time comparison to prevent timing attachs
+  // https://stackoverflow.com/a/31096242/206879
+  // https://en.wikipedia.org/wiki/Timing_attack
   return timingSafeEqual(signatureBuffer, verificationBuffer);
 }

Original file line number	Diff line number	Diff line change
`@@ -28,5 +28,8 @@ export function verify(`
`28`	`28`	`return false;`
`29`	`29`	`}`
`30`	`30`
	`31`	`+ // constant time comparison to prevent timing attachs`
	`32`	`+ // https://stackoverflow.com/a/31096242/206879`
	`33`	`+ // https://en.wikipedia.org/wiki/Timing_attack`
`31`	`34`	`return timingSafeEqual(signatureBuffer, verificationBuffer);`
`32`	`35`	`}`