@riddix/hamh 2.1.0-alpha.593 → 2.1.0-alpha.595

package/dist/backend/cli.js

@@ -149122,9 +149122,7 @@ function lockCredentialApi(lockCredentialStorage) {
     async (_req, res) => {
       const credentials = lockCredentialStorage.getAllCredentials();
       const sanitizedCredentials = credentials.map(sanitizeCredential);
-      res.json({
-        credentials: sanitizedCredentials
-      });
+      res.json({ credentials: sanitizedCredentials });
     }
   );
   router.get(
@@ -153122,7 +153120,7 @@ var EntityMappingStorage = class extends Service {
 
 // src/services/storage/lock-credential-storage.ts
 init_service();
-import { pbkdf2Sync, randomBytes as randomBytes2 } from "node:crypto";
+import { pbkdf2Sync, randomBytes as randomBytes2, timingSafeEqual as timingSafeEqual2 } from "node:crypto";
 var CURRENT_VERSION2 = 2;
 var HASH_ITERATIONS = 1e5;
 var HASH_KEY_LENGTH = 64;
@@ -153203,8 +153201,15 @@ var LockCredentialStorage = class extends Service {
     if (!credential?.enabled) {
       return false;
     }
-    const hash2 = this.hashPin(pin, credential.pinCodeSalt);
-    return hash2 === credential.pinCodeHash;
+    const computed = Buffer.from(
+      this.hashPin(pin, credential.pinCodeSalt),
+      "hex"
+    );
+    const expected = Buffer.from(credential.pinCodeHash, "hex");
+    if (computed.length !== expected.length) {
+      return false;
+    }
+    return timingSafeEqual2(computed, expected);
   }
   /**
    * Check if a credential exists and is enabled for an entity