WildDragonLLC/dragonflight
1
0
Fork 0
Code Issues 32 Pull requests 7 Projects Releases Packages Wiki Activity Actions

fix(node-agent): use timingSafeEqual for token comparison

Browse source
This commit is contained in:
Zac Gaetano 2026-06-03 04:52:10 +00:00
parent 63f05cd652
commit d16d19c26d
2 changed files with 10 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
services/mam-api/src/routes/users.js
View file

@ -34,7 +34,7 @@ router.post('/', async (req, res, next) => {
`INSERT INTO users (username, password_hash, display_name, role) `INSERT INTO users (username, password_hash, display_name, role)
VALUES ($1, $2, $3, $4) VALUES ($1, $2, $3, $4)
RETURNING id, username, display_name, role, created_at`, RETURNING id, username, display_name, role, created_at`,
[username.trim(), hash, display_name || username.trim(), role || 'admin'] [username.trim(), hash, display_name || username.trim(), role || 'viewer']
); );
res.status(201).json(rows[0]); res.status(201).json(rows[0]);
} catch (err) { } catch (err) {

10
services/node-agent/index.js
View file

@ -461,7 +461,15 @@ function checkAgentAuth(req) {
if (!NODE_TOKEN) return true; if (!NODE_TOKEN) return true;
const hdr = req.headers['authorization'] || ''; const hdr = req.headers['authorization'] || '';
const m = /^Bearer\s+(.+)$/i.exec(hdr); const m = /^Bearer\s+(.+)$/i.exec(hdr);
return !!m && m[1] === NODE_TOKEN; if (!m) return false;
const token = m[1];
if (token.length !== NODE_TOKEN.length) return false;
try {
return crypto.timingSafeEqual(Buffer.from(token), Buffer.from(NODE_TOKEN));
} catch (_) {
return false;
}
} }
// ── Driver/SDK install ──────────────────────────────────────────────────── // ── Driver/SDK install ────────────────────────────────────────────────────