Skip to content

simonepri/tsse

Repository files navigation

tsse

Latest version on npm Downloads on npm Project license
Lint status Test macOS status Test Ubuntu status Test Windows status Codecov Coverage report Known Vulnerabilities
XO Code Style used AVA Test Runner used Istanbul Test Coverage used NI Scaffolding System used NP Release System used

⏱ Constant time string/buffer equals.
Coded with ❤️ by Simone Primarosa.

Synopsis

tsse is a string comparison algorithm to prevent Node.js timing attacks.

This differs from crypto.timingSafeEqual because it:

  • supports both strings and Buffers;
  • supports inputs of different lengths.

Install

$ npm install --save tsse

Usage

const tsse = require('tsse');

const hash      = '0a4d55a8d778e5022fab701977c5d840bbc486d0';
const givenHash = '1265a5eb08997ced279d3854629cba68a378b528';

if (tsse(hash, givenHash)) {
  console.log('good hash');
} else {
  console.log('bad hash');
}
// => bad hash

API

tsse(hiddenStr, inputStr) ⇒ boolean

Does a constant-time String comparison.
NOTE: When hiddenStr and inputStr have different lengths hiddenStr is compared to itself, which makes the comparison non-commutative (time-wise).

Kind: global function
Returns: boolean - true if equals, false otherwise.
Access: public

Param Type Description
hiddenStr string | Buffer A string that you don't want to leak.
inputStr string | Buffer Another string.

Contributing

Contributions are REALLY welcome and if you find a security flaw in this code, PLEASE report it.

Authors

See also the list of contributors who participated in this project.

License

This project is licensed under the MIT License - see the license file for details.