⏱ Constant time string/buffer equals.
Coded with ❤️ by Simone Primarosa.
tsse is a string comparison algorithm to prevent Node.js timing attacks.
This differs from
crypto.timingSafeEqualbecause it:
- supports both
stringsandBuffers;- supports inputs of different lengths.
$ npm install --save tsse
const tsse = require('tsse');
const hash = '0a4d55a8d778e5022fab701977c5d840bbc486d0';
const givenHash = '1265a5eb08997ced279d3854629cba68a378b528';
if (tsse(hash, givenHash)) {
console.log('good hash');
} else {
console.log('bad hash');
}
// => bad hash
booleanDoes a constant-time String comparison.
NOTE: When hiddenStr and inputStr have different lengths hiddenStr is compared to itself, which makes the comparison non-commutative (time-wise).
Kind: global function
Returns: boolean - true if equals, false otherwise.
Access: public
| Param | Type | Description |
|---|---|---|
| hiddenStr | string | Buffer | A string that you don't want to leak. |
| inputStr | string | Buffer | Another string. |
Contributions are REALLY welcome and if you find a security flaw in this code, PLEASE report it.
See also the list of contributors who participated in this project.
This project is licensed under the MIT License - see the license file for details.
FAQs
Constant time string/buffer equals
The npm package tsse receives a total of 7,104 weekly downloads. As such, tsse popularity was classified as popular.
We found that tsse demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Five malicious NuGet packages impersonate Chinese .NET libraries to deploy a stealer targeting browser credentials, crypto wallets, SSH keys, and local files.
Security News
pnpm 11 turns on a 1-day Minimum Release Age and blocks exotic subdeps by default, adding safeguards against fast-moving supply chain attacks.
Security News
The remediated findings include organization permission bugs, stale project access after transfers, OIDC replay edge cases, audit logging gaps, and an IDOR in API token deletion.