Package Exports

safe-compare

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (safe-compare) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

safe-compare

Constant-time comparison algorithm to prevent Node.js timing attacks.

For more information about Node.js timing attacks, please visit https://snyk.io/blog/node-js-timing-attack-ccc-ctf/.

NOTICE:

If you are using Node.js v6.6.0 or higher, you can use crypto.timingSafeEqual(a, b) from the crypto module. Keep in mind that the method crypto.timingSafeEqual only accepts Buffers with the same length! This bundle will handle strings with different lengths for you.

Installation

$ npm install safe-compare --save

Usage

var safeCompare = require('safe-compare');

safeCompare('hello world', 'hello world'); // -> true

safeCompare('hello', 'not hello'); // -> false
safeCompare('hello foo', 'hello bar'); // -> false

Note: runtime is always corresponding to the length of the first parameter.

Tests

$ npm test

What's the improvement of this package?

This Node.js module is a improvement of the two existing modules scmp and secure-compare. It uses the best parts of both implementations.

The implementation of scmp is a good base, but it has a shorter execution time if the string's length is not equal. The package secure-compare always compares the two input strings, but its implementation is not as clean as in scmp.

License

safe-compare is released under the MIT license.