@fusionkit/model-gateway 0.1.5 → 0.1.6

package/dist/server.js

@@ -1,3 +1,4 @@
+import { timingSafeEqual } from "node:crypto";
 import { once } from "node:events";
 import { createServer } from "node:http";
 import { anthropicModelsResponse, handleAnthropicMessages, handleCountTokens } from "./adapters/anthropic.js";
@@ -224,10 +225,19 @@ async function pipeUpstream(res, upstream) {
 }
 function authorized(req, token) {
     const auth = req.headers.authorization;
-    if (typeof auth === "string" && auth === `Bearer ${token}`)
+    if (typeof auth === "string" && constantTimeEquals(auth, `Bearer ${token}`)) {
         return true;
+    }
     const apiKey = req.headers["x-api-key"];
-    return typeof apiKey === "string" && apiKey === token;
+    return typeof apiKey === "string" && constantTimeEquals(apiKey, token);
+}
+/** Length-independent constant-time string comparison (avoids timing leaks). */
+function constantTimeEquals(a, b) {
+    const aBuf = Buffer.from(a);
+    const bBuf = Buffer.from(b);
+    if (aBuf.length !== bBuf.length)
+        return false;
+    return timingSafeEqual(aBuf, bBuf);
 }
 function errorMessage(error) {
     return error instanceof Error ? error.message : String(error);

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@fusionkit/model-gateway",
   "private": false,
-  "version": "0.1.5",
+  "version": "0.1.6",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/velum-labs/handoffkit.git",
@@ -25,7 +25,7 @@
     "provenance": true
   },
   "dependencies": {
-    "@fusionkit/adapter-ai-sdk": "0.1.5",
-    "@fusionkit/protocol": "0.1.5"
+    "@fusionkit/adapter-ai-sdk": "0.1.6",
+    "@fusionkit/protocol": "0.1.6"
   }
 }