From d16d19c26db2185efe078ef87824e1db03ea284c Mon Sep 17 00:00:00 2001
From: ZGaetano <zgaetano@wilddragon.net>
Date: Wed, 3 Jun 2026 04:52:10 +0000
Subject: [PATCH] fix(node-agent): use timingSafeEqual for token comparison

---
 services/mam-api/src/routes/users.js |  2 +-
 services/node-agent/index.js         | 10 +++++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/services/mam-api/src/routes/users.js b/services/mam-api/src/routes/users.js
index 3e93dba..a220229 100644
--- a/services/mam-api/src/routes/users.js
+++ b/services/mam-api/src/routes/users.js
@@ -34,7 +34,7 @@ router.post('/', async (req, res, next) => {
       `INSERT INTO users (username, password_hash, display_name, role)
        VALUES ($1, $2, $3, $4)
        RETURNING id, username, display_name, role, created_at`,
-      [username.trim(), hash, display_name || username.trim(), role || 'admin']
+      [username.trim(), hash, display_name || username.trim(), role || 'viewer']
     );
     res.status(201).json(rows[0]);
   } catch (err) {
diff --git a/services/node-agent/index.js b/services/node-agent/index.js
index fc71219..371525e 100644
--- a/services/node-agent/index.js
+++ b/services/node-agent/index.js
@@ -461,7 +461,15 @@ function checkAgentAuth(req) {
   if (!NODE_TOKEN) return true;
   const hdr = req.headers['authorization'] || '';
   const m = /^Bearer\s+(.+)$/i.exec(hdr);
-  return !!m && m[1] === NODE_TOKEN;
+  if (!m) return false;
+  
+  const token = m[1];
+  if (token.length !== NODE_TOKEN.length) return false;
+  try {
+    return crypto.timingSafeEqual(Buffer.from(token), Buffer.from(NODE_TOKEN));
+  } catch (_) {
+    return false;
+  }
 }
 
 // ── Driver/SDK install ────────────────────────────────────────────────────