From 232833cf93966c7ff616bd26696473c9e4c45eb3 Mon Sep 17 00:00:00 2001
From: Spidershield-contrib <contrib@spidershield.dev>
Date: Fri, 27 Mar 2026 18:25:47 -0700
Subject: [PATCH] fix: use constant-time comparison for auth token (CWE-208)

---
 config.server.ts | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/config.server.ts b/config.server.ts
index 69d8d9cd..934f2871 100644
--- a/config.server.ts
+++ b/config.server.ts
@@ -1,6 +1,15 @@
+import { timingSafeEqual } from 'crypto'
 import Providers, { AppProviders } from 'next-auth/providers'
 import { prisma, resolvedConfig } from './utils.server'
 
+function safeEqual(a: string, b: string): boolean {
+  try {
+    return timingSafeEqual(Buffer.from(a), Buffer.from(b))
+  } catch {
+    return false
+  }
+}
+
 /**
  * Auth Providers
  * https://next-auth.js.org/configuration/providers
@@ -27,7 +36,8 @@ if (resolvedConfig.useLocalAuth) {
       async authorize(credentials: { username: string; password: string }) {
         if (
           credentials.username === process.env.USERNAME &&
-          credentials.password === process.env.PASSWORD
+          process.env.PASSWORD &&
+          safeEqual(credentials.password, process.env.PASSWORD)
         ) {
           const user = await prisma.user.upsert({
             where: {