From 0dfc5e08c2740024c0788b5270dd8ce87d809579 Mon Sep 17 00:00:00 2001
From: Randall Kent <randall@cypress.io>
Date: Sat, 24 Dec 2016 14:35:45 -0500
Subject: [PATCH] Remediate timing attack vulnerability

---
 authentication.js | 7 ++++++-
 package.json      | 1 +
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/authentication.js b/authentication.js
index c3ab174..f845c67 100644
--- a/authentication.js
+++ b/authentication.js
@@ -1,4 +1,5 @@
 var LocalStrategy = require('passport-local').Strategy;
+var bufferEq = require('buffer-equal-constant-time');
 
 module.exports = function(passport, adminUsername, adminPassword) {
 
@@ -14,7 +15,11 @@ module.exports = function(passport, adminUsername, adminPassword) {
       usernameField: 'username',
       passwordField: 'password',
     }, function(username, password, done) {
-      if (adminUsername == username && adminPassword == password)
+      adminUsername = new Buffer(adminUsername);
+      adminPassword = new Buffer(adminPassword);
+      username = new Buffer(username);
+      password = new Buffer(password);
+      if (bufferEq(adminUsername, username) && bufferEq(adminPassword, password))
         done(null, username);
       else 
         done(null, false, { message: "Incorrect Username or Password"} );
diff --git a/package.json b/package.json
index d19ffa3..3cfef5e 100644
--- a/package.json
+++ b/package.json
@@ -26,6 +26,7 @@
   "homepage": "https://github.com/Detry322/redisred",
   "dependencies": {
     "body-parser": "^1.13.2",
+    "buffer-equal-constant-time": "^1.0.1",
     "connect-redis": "^2.4.0",
     "cookie-parser": "^1.3.5",
     "csurf": "^1.8.3",