packages/backend/src/core/UserAuthService.ts

@@ -11,7 +11,7 @@ import type { MiUserProfile, UserProfilesRepository, UsersRepository } from '@/m
 import { bindThis } from '@/decorators.js';
 import { isDuplicateKeyValueError } from '@/misc/is-duplicate-key-value-error.js';
 import type { MiLocalUser } from '@/models/User.js';
-import { secureishCompare } from '@/misc/secure-ish-compare.js';
+import * as crypto from 'node:crypto';
 
 @Injectable()
 export class UserAuthService {
@@ -29,7 +29,7 @@ export class UserAuthService {
 		if (profile.twoFactorBackupSecret?.includes(token)) {
 			await this.userProfilesRepository.update({ userId: profile.userId }, {
 				twoFactorBackupSecret: profile.twoFactorBackupSecret.filter(
-					(secret) => !secureishCompare(secret, token)
+					(secret) => !crypto.timingSafeEqual(secret, token)
 				),
 			});
 		} else {

packages/backend/src/misc/secure-ish-compare.ts

@@ -1,33 +0,0 @@
-/*
- * SPDX-FileCopyrightText: dakkar and other sharkey contributors
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-import * as crypto from 'node:crypto';
-
-export function secureishCompare(expected: string, given:string) {
-	const expectedLen = expected.length;
-	const givenLen = given.length;
-
-	/*
-		this ensures that the two strings are the same length, so
-		`timingSafeEqual` will not throw an error
-
-		notice that we perform the same operations regardless of the
-		length of the strings, we're trying not to leak timing
-		information!
-	*/
-	const paddedExpected = Buffer.from(expected + given);
-	const paddedGiven = Buffer.from(given + expected);
-
-	/*
-		if the two strings were equal, `sortOfEqual` will be true
-
-		if will be true in other cases, too! like `abc` and `abcabc`; but
-		then, `expectedLen` and `givenLen` would be different, and we'd
-		return false
-	*/
-	const sortOfEqual = crypto.timingSafeEqual(paddedExpected, paddedGiven);
-
-	return sortOfEqual && (givenLen === expectedLen);
-}

packages/backend/src/server/ActivityPubServerService.ts

@@ -38,7 +38,6 @@ import type { FastifyInstance, FastifyRequest, FastifyReply, FastifyPluginOption
 import type { FindOptionsWhere } from 'typeorm';
 import type Logger from '@/logger.js';
 import { LoggerService } from '@/core/LoggerService.js';
-import { secureishCompare } from '@/misc/secure-ish-compare.js';
 
 const ACTIVITY_JSON = 'application/activity+json; charset=utf-8';
 const LD_JSON = 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"; charset=utf-8';
@@ -288,7 +287,7 @@ export class ActivityPubServerService {
 
 			const hash = crypto.createHash('sha256').update(request.rawBody).digest('base64');
 
-			if (!secureishCompare(hash, digestValue)) {
+			if (! crypto.timingSafeEqual(hash, digestValue)) {
 				// Invalid digest
 				reply.code(401);
 				return;

packages/backend/test/unit/misc/secure-ish-compare.ts

@@ -1,25 +0,0 @@
-/*
- * SPDX-FileCopyrightText: dakkar and other sharkey contributors
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-import { secureishCompare } from '@/misc/secure-ish-compare.js';
-
-describe(secureishCompare, () => {
-	it('should return true if strings are equal', () => {
-		expect(secureishCompare('abc','abc')).toBe(true);
-		expect(secureishCompare('aaa','aaa')).toBe(true);
-	});
-	it('should return false if strings are different', () => {
-		expect(secureishCompare('abc','def')).toBe(false);
-	});
-	it('should return false if one is prefix of the other', () => {
-		expect(secureishCompare('abc','abcabc')).toBe(false);
-		expect(secureishCompare('abcabc','abc')).toBe(false);
-		expect(secureishCompare('aaa','aa')).toBe(false);
-	});
-	it('should return false if strings are very different', () => {
-		expect(secureishCompare('abc','defghi')).toBe(false);
-		expect(secureishCompare('defghi','abc')).toBe(false);
-	});
-});