@juspay/neurolink/dist/lib/server/voice/tokenCompare.js

Universal AI Development Platform with working MCP integration, multi-provider support, voice (TTS/STT/realtime), and professional CLI. 58+ external MCP servers discoverable, multimodal file processing, RAG pipelines. Build, test, and deploy AI applicatio

import crypto from "crypto";
/**
 * Constant-time bearer-token comparison.
 *
 * Bug 2 mitigation: a normal `===` compare on bearer tokens leaks the token
 * length and the position of the first mismatching byte through timing
 * differences, which is reachable when the voice server is bound publicly
 * (`VOICE_SERVER_ALLOW_PUBLIC=1`).
 *
 * Returns `false` for any comparison whose lengths differ — this avoids the
 * `RangeError` that `crypto.timingSafeEqual` throws on mismatched buffers
 * while still preserving the constant-time property for equal-length inputs
 * (which is the only case an attacker can probe).
 */
export function timingSafeEqualString(provided, expected) {
    const providedBuf = Buffer.from(provided, "utf8");
    const expectedBuf = Buffer.from(expected, "utf8");
    if (providedBuf.length !== expectedBuf.length) {
        return false;
    }
    return crypto.timingSafeEqual(providedBuf, expectedBuf);
}
//# sourceMappingURL=tokenCompare.js.map