├── .gitignore ├── index.js ├── package.json ├── test.js └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | node_modules 2 | -------------------------------------------------------------------------------- /index.js: -------------------------------------------------------------------------------- 1 | /** 2 | * Expose secure-compare 3 | */ 4 | 5 | module.exports = compare; 6 | 7 | 8 | /** 9 | * Secure compare 10 | */ 11 | 12 | function compare (a, b) { 13 | if (typeof a !== 'string' || typeof b !== 'string') return false; 14 | 15 | var mismatch = a.length === b.length ? 0 : 1; 16 | if (mismatch) { 17 | b = a; 18 | } 19 | 20 | for (var i = 0, il = a.length; i < il; ++i) { 21 | mismatch |= (a.charCodeAt(i) ^ b.charCodeAt(i)); 22 | } 23 | 24 | return mismatch === 0; 25 | }; 26 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "secure-compare", 3 | "version": "3.0.1", 4 | "description": "Securely compare two strings, copied from cryptiles", 5 | "main": "index.js", 6 | "scripts": { 7 | "test": "./node_modules/.bin/mocha test" 8 | }, 9 | "repository": { 10 | "type": "git", 11 | "url": "https://github.com/vdemedes/secure-compare.git" 12 | }, 13 | "keywords": [ 14 | "secure", 15 | "compare" 16 | ], 17 | "author": "Vadim Demedes ", 18 | "license": "MIT", 19 | "bugs": { 20 | "url": "https://github.com/vdemedes/secure-compare/issues" 21 | }, 22 | "homepage": "https://github.com/vdemedes/secure-compare", 23 | "devDependencies": { 24 | "chai": "^2.2.0", 25 | "mocha": "^2.2.1" 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /test.js: -------------------------------------------------------------------------------- 1 | /** 2 | * Dependencies 3 | */ 4 | 5 | var compare = require('./'); 6 | 7 | require('chai').should(); 8 | 9 | 10 | /** 11 | * Tests 12 | */ 13 | 14 | describe ('secure-compare', function () { 15 | it ('should return true if the strings are identical', function () { 16 | compare('abc', 'abc').should.equal(true); 17 | }); 18 | 19 | it ('should return true if the strings are identical in utf8', function () { 20 | compare('你好世界', '你好世界').should.equal(true); 21 | }); 22 | 23 | it('should return false if the strings are different lengths', function () { 24 | compare('abc', 'ab').should.equal(false); 25 | }); 26 | 27 | it('should return false if the strings have different contents', function () { 28 | compare('abc', 'abd').should.equal(false); 29 | }); 30 | }); 31 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # secure-compare 2 | 3 | Constant-time comparison algorithm to prevent timing attacks for Node.js. 4 | Copied from [cryptiles](https://github.com/hapijs/cryptiles) by [C J Silverio](https://github.com/ceejbot). 5 | 6 | *If you're targeting Node.js v6.6.0+, use [crypto.timingSafeEqual](https://nodejs.org/api/crypto.html#crypto_crypto_timingsafeequal_a_b) instead.* 7 | 8 | 9 | ### Installation 10 | 11 | ``` 12 | $ npm install secure-compare --save 13 | ``` 14 | 15 | 16 | ### Usage 17 | 18 | ```javascript 19 | var compare = require('secure-compare'); 20 | 21 | compare('hello world', 'hello world').should.equal(true); 22 | compare('你好世界', '你好世界').should.equal(true); 23 | 24 | compare('hello', 'not hello').should.equal(false); 25 | ``` 26 | 27 | 28 | ### Tests 29 | 30 | ``` 31 | $ npm test 32 | ``` 33 | 34 | 35 | ### License 36 | 37 | secure-compare is released under the MIT license. 38 | --------------------------------------------------------------------------------