feat: add timingSafeCompare

2025-06-15 04:57:40 +07:00 · 2025-06-15 04:57:40 +07:00 · 7f727bce1e
commit 7f727bce1e
--- a/apps/api/src/lib/middleware/authenticate.ts
+++ b/apps/api/src/lib/middleware/authenticate.ts
@ -1,4 +1,4 @@
-import { assert } from '@agentic/platform-core'
+import { assert, timingSafeCompare } from '@agentic/platform-core'
 import { createMiddleware } from 'hono/factory'

 import type { RawUser } from '@/db'
@ -23,10 +23,8 @@ export const authenticate = createMiddleware<AuthenticatedHonoEnv>(
    const token = parts.at(-1)
    assert(token, 401, 'Unauthorized')

-    // TODO: Use a more secure way to authenticate admin requests that doesn't
-    // use a single API key and isn't vulnerable to timing attacks.
-    // eslint-disable-next-line security/detect-possible-timing-attacks
-    if (token === env.AGENTIC_ADMIN_API_KEY) {
+    // TODO: Use a more secure way to authenticate gateway admin requests.
+    if (timingSafeCompare(token, env.AGENTIC_ADMIN_API_KEY)) {
      ctx.set('userId', 'admin')
      ctx.set('user', {
        id: 'admin',
--- a/packages/core/src/utils.ts
+++ b/packages/core/src/utils.ts
@ -1,3 +1,5 @@
+import { timingSafeEqual } from 'node:crypto'
+
 import type { z, ZodType } from 'zod'
 import hashObjectImpl, { type Options as HashObjectOptions } from 'hash-object'

@ -301,3 +303,15 @@ export function pruneEmptyDeep<T>(

  return value as any
 }
+
+export function timingSafeCompare(a: string, b: string): boolean {
+  if (typeof a !== 'string' || typeof b !== 'string') {
+    return false
+  }
+
+  if (a.length !== b.length) {
+    return false
+  }
+
+  return timingSafeEqual(Buffer.from(a), Buffer.from(b))
+}