Prevents timing attacks using Brad Hill's
Double HMAC pattern
to perform secure string comparison. Double HMAC avoids the timing atacks by blinding the
timing channel using random time per attempt comparison against iterative brute force attacks.
npm install tsscmp
To compare secret values like authentication tokens, passwords or
capability urls so that timing information is not
leaked to the attacker.
var timingSafeCompare = require('tsscmp');
var sessionToken = '127e6fbfe24a750e72930c';
var givenToken = '127e6fbfe24a750e72930c';
if (timingSafeCompare(sessionToken, givenToken)) {
console.log('good token');
} else {
console.log('bad token');
}
Credits to: @jsha |
@bnoordhuis |
@suryagh |