safe-compareConstant-time comparison algorithm to prevent Node.js timing attacks.
For more information about Node.js timing attacks, please visit https://snyk.io/blog/node-js-timing-attack-ccc-ctf/.
If you are using Node.js v6.6.0 or higher, you can use crypto.timingSafeEqual(a, b) from the
cryptomodule. Keep in mind that the method
Buffers with the same length! This bundle will handle strings with different lengths for you.
$ npm install safe-compare --save
var safeCompare = require('safe-compare'); safeCompare('hello world', 'hello world'); // -> true safeCompare('hello', 'not hello'); // -> false safeCompare('hello foo', 'hello bar'); // -> false
Note: runtime is always corresponding to the length of the first parameter.
$ npm test
What's the improvement of this package?This Node.js module is a improvement of the two existing modules scmp and secure-compare. It uses the best parts of both implementations.
The implementation of scmp is a good base, but it has a shorter execution time if the string's length is not equal. The package secure-compare always compares the two input strings, but its implementation is not as clean as in scmp.