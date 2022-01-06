Constant-time comparison algorithm to prevent Node.js timing attacks.

For more information about Node.js timing attacks, please visit https://snyk.io/blog/node-js-timing-attack-ccc-ctf/.

NOTICE:

If you are using Node.js v6.6.0 or higher, you can use crypto.timingSafeEqual(a, b) from the crypto module. Keep in mind that the method crypto.timingSafeEqual only accepts Buffer s with the same length! This bundle will handle strings with different lengths for you.

Installation

$ npm install safe-compare

Usage

var safeCompare = require ( 'safe-compare' ); safeCompare( 'hello world' , 'hello world' ); safeCompare( 'hello' , 'not hello' ); safeCompare( 'hello foo' , 'hello bar' );

Note: runtime is always corresponding to the length of the first parameter.

Tests

npm test

What's the improvement of this package?

This Node.js module is a improvement of the two existing modules scmp and secure-compare. It uses the best parts of both implementations.

The implementation of scmp is a good base, but it has a shorter execution time if the string's length is not equal. The package secure-compare always compares the two input strings, but its implementation is not as clean as in scmp.

License

safe-compare is released under the MIT license.