vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-05 13:40:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden hook and device token auth

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-13 01:23:26 +01:00
parent 54513f4240
commit 113ebfd6a2
9 changed files with 190 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
src/security/secret-equal.test.ts Normal file
View File

@@ -0,0 +1,22 @@
import { describe, expect, it } from "vitest";
import { safeEqualSecret } from "./secret-equal.js";
describe("safeEqualSecret", () => {
it("matches identical secrets", () => {
expect(safeEqualSecret("secret-token", "secret-token")).toBe(true);
});
it("rejects mismatched secrets", () => {
expect(safeEqualSecret("secret-token", "secret-tokEn")).toBe(false);
});
it("rejects different-length secrets", () => {
expect(safeEqualSecret("short", "much-longer")).toBe(false);
});
it("rejects missing values", () => {
expect(safeEqualSecret(undefined, "secret")).toBe(false);
expect(safeEqualSecret("secret", undefined)).toBe(false);
expect(safeEqualSecret(null, "secret")).toBe(false);
});
});

16
src/security/secret-equal.ts Normal file
View File

@@ -0,0 +1,16 @@
import { timingSafeEqual } from "node:crypto";
export function safeEqualSecret(
provided: string | undefined | null,
expected: string | undefined | null,
): boolean {
if (typeof provided !== "string" || typeof expected !== "string") {
return false;
}
const providedBuffer = Buffer.from(provided);
const expectedBuffer = Buffer.from(expected);
if (providedBuffer.length !== expectedBuffer.length) {
return false;
}
return timingSafeEqual(providedBuffer, expectedBuffer);
}