dennii/dbgate
1
0
Fork 0
mirror of https://github.com/DeNNiiInc/dbgate.git synced 2026-04-22 15:46:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

timg safe compare token fixes #91

Browse Source
This commit is contained in:
Jan Prochazka
2021-04-30 17:21:35 +02:00
parent 4522c37bfa
commit bd6c116cc0
2 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
packages/api/src/main.js
View File

@@ -31,6 +31,7 @@ const scheduler = require('./controllers/scheduler');
const { rundir } = require('./utility/directories'); const { rundir } = require('./utility/directories');
const platformInfo = require('./utility/platformInfo'); const platformInfo = require('./utility/platformInfo');
const processArgs = require('./utility/processArgs'); const processArgs = require('./utility/processArgs');
const timingSafeCheckToken = require('./utility/timingSafeCheckToken');
let authorization = null; let authorization = null;
let checkLocalhostOrigin = null; let checkLocalhostOrigin = null;
@@ -56,7 +57,7 @@ function start() {
} }
app.use(function (req, res, next) { app.use(function (req, res, next) {
if (authorization && req.headers.authorization != authorization) { if (authorization && !timingSafeCheckToken(req.headers.authorization, authorization)) {
return res.status(403).json({ error: 'Not authorized!' }); return res.status(403).json({ error: 'Not authorized!' });
} }
if (checkLocalhostOrigin) { if (checkLocalhostOrigin) {

9
packages/api/src/utility/timingSafeCheckToken.js Normal file
View File

@@ -0,0 +1,9 @@
const crypto = require('crypto');
function timingSafeCheckToken(a, b) {
if (!a || !b) return false;
if (a.length != b.length) return false;
return crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b));
}
module.exports = timingSafeCheckToken;