Skip to content

fix(auth): compare webhook secrets by byte length#502

Open
rissrice2105-agent wants to merge 1 commit into
profullstack:masterfrom
rissrice2105-agent:fix/auth-secret-byte-length
Open

fix(auth): compare webhook secrets by byte length#502
rissrice2105-agent wants to merge 1 commit into
profullstack:masterfrom
rissrice2105-agent:fix/auth-secret-byte-length

Conversation

@rissrice2105-agent

Copy link
Copy Markdown
Contributor

Summary

  • compare authorization secrets using encoded byte lengths before timingSafeEqual
  • share the constant-time string helper between the confirmation and DID backfill endpoints
  • add Unicode regression coverage and an endpoint assertion for malformed authorization

Bug

Both endpoints checked JavaScript character length before converting strings to buffers. An authorization value containing a multibyte character could have the same character count as the configured ASCII secret but a different byte length, causing timingSafeEqual to throw and return a server error instead of a normal 401 response.

Tests

  • constant-time helper tests: 2/2 passed
  • changed-file ESLint: passed
  • git diff --check: passed

Notes

The confirmation route regression test is included, but the current reused installation cannot load @profullstack/stack/email; a fresh install is temporarily blocked by the minimum-release-age policy for today's package release. CI should exercise it with the current dependency set. No invoice will be sent until the PR is merged and accepted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant