Use buffer-equal-constant-time to evaluate apikey

2024-12-19 05:37:53 +00:00 · 2016-05-23 23:59:45 -03:00 · 2016-05-23 23:59:45 -03:00 · ed7b936fee
commit ed7b936fee
parent 1780a49030
2 changed files with 4 additions and 2 deletions
--- a/package.json
+++ b/package.json
@ -9,6 +9,7 @@
    "blinking": "~0.0.2",
    "bluebird": "^2.9.24",
    "body-parser": "^1.12.0",
+    "buffer-equal-constant-time": "^1.0.1",
    "coffee-script": "~1.9.1",
    "docker-progress": "^2.0.1",
    "dockerode": "~2.2.9",
@ -22,8 +23,8 @@
    "pinejs-client": "^1.7.1",
    "pubnub": "^3.7.13",
    "request": "^2.51.0",
-    "resin-register-device": "^2.0.0",
    "request-progress": "^0.3.1",
+    "resin-register-device": "^2.0.0",
    "rwlock": "^5.0.0",
    "sqlite3": "3.0.9",
    "typed-error": "~0.1.0"
--- a/src/api.coffee
+++ b/src/api.coffee
@ -4,6 +4,7 @@ utils = require './utils'
 knex = require './db'
 express = require 'express'
 bodyParser = require 'body-parser'
+bufferEq = require 'buffer-equal-constant-time'
 request = require 'request'
 config = require './config'
 device = require './device'
@ -24,7 +25,7 @@ module.exports = (application) ->
 	api.use (req, res, next) ->
 		utils.getOrGenerateSecret('api')
 		.then (secret) ->
-			if req.query.apikey is secret
+			if bufferEq(new Buffer(req.query.apikey), new Buffer(secret))
 				next()
 			else
 				res.sendStatus(401)