Skip to content

fix: compare admin api key in constant time#99

Open
jamilahmadzai wants to merge 1 commit into
SmartDropLabs:mainfrom
jamilahmadzai:codex/smartdrop-admin-key-constant-time-89
Open

fix: compare admin api key in constant time#99
jamilahmadzai wants to merge 1 commit into
SmartDropLabs:mainfrom
jamilahmadzai:codex/smartdrop-admin-key-constant-time-89

Conversation

@jamilahmadzai

Copy link
Copy Markdown

Closes #89

Bounty: GrantFox OSS campaign for issue #89

Summary

  • Replace the raw ADMIN_API_KEY string equality check with a constant-time comparison over fixed-length SHA-256 digests
  • Keep generated API-key validation on its existing hash lookup path
  • Add auth tests proving the admin path invokes timingSafeEqual and handles wrong-length guesses without throwing
  • Document why the bootstrap admin key uses constant-time comparison

Validation

  • npm ci --ignore-scripts --no-audit
  • npm test -- test/auth.test.js --runInBand
  • npm test -- --runInBand
  • rg source scan for remaining raw admin secret comparisons
  • git diff --check

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Admin API key comparison uses non-constant-time string equality — timing side-channel

1 participant