termbeam 1.21.4 → 1.21.5

package/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## [1.21.5] - 2026-04-23
+
+- fix(auth): constant-time password comparison (#204) (@TickTockBent)
+- fix(auth): use raw timingSafeEqual instead of HMAC for password compare (@dorlugasigal)
+- fix(auth): pad to fixed length in safeCompare instead of self-compare (@dorlugasigal)
+
 ## [1.21.4] - 2026-04-23
 
 - feat: add author attribution to changelog via gh api (@dorlugasigal)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "termbeam",
-  "version": "1.21.4",
+  "version": "1.21.5",
   "description": "Beam your terminal to any device — mobile-optimized web terminal with multi-session support",
   "main": "src/server/index.js",
   "bin": {

package/src/server/auth.js

@@ -290,6 +290,28 @@ const LOGIN_HTML = `<!DOCTYPE html>
 </body>
 </html>`;
 
+// Constant-time string compare using crypto.timingSafeEqual on raw bytes.
+// We intentionally do NOT hash the inputs: this is an equality check against
+// an in-memory secret (never stored), and hashing would trip CodeQL's
+// js/insufficient-password-hash rule which targets password *storage*.
+//
+// To avoid leaking length via early-return, both inputs are copied into
+// fixed-length zero-padded buffers before timingSafeEqual, and the final
+// result is AND-ed with a real length check.
+const SAFE_COMPARE_LEN = 256;
+function safeCompare(a, b) {
+  if (typeof a !== 'string' || typeof b !== 'string') return false;
+  const ab = Buffer.from(a, 'utf8');
+  const bb = Buffer.from(b, 'utf8');
+  if (ab.length > SAFE_COMPARE_LEN || bb.length > SAFE_COMPARE_LEN) return false;
+  const ap = Buffer.alloc(SAFE_COMPARE_LEN);
+  const bp = Buffer.alloc(SAFE_COMPARE_LEN);
+  ab.copy(ap);
+  bb.copy(bp);
+  const bytesEqual = crypto.timingSafeEqual(ap, bp);
+  return bytesEqual && ab.length === bb.length;
+}
+
 function createAuth(password) {
   const tokens = new Map();
   const authAttempts = new Map();
@@ -373,7 +395,7 @@ function createAuth(password) {
         log.warn(`Auth: rate limit exceeded for ${ip}`);
         return res.status(429).json({ error: 'Too many attempts. Try again later.' });
       }
-      if (authHeader === `Bearer ${password}`) return next();
+      if (safeCompare(authHeader.slice('Bearer '.length), password)) return next();
       recent.push(now);
       authAttempts.set(ip, recent);
       return res.status(401).json({ error: 'unauthorized' });
@@ -416,9 +438,10 @@ function createAuth(password) {
     middleware,
     rateLimit,
     parseCookies,
+    safeCompare,
     loginHTML: LOGIN_HTML,
     cleanup: () => clearInterval(cleanupInterval),
   };
 }
 
-module.exports = { createAuth };
+module.exports = { createAuth, safeCompare };

package/src/server/routes.js

@@ -133,7 +133,7 @@ function setupRoutes(app, { auth, sessions, config, state, pushManager, copilotS
   // Auth API
   app.post('/api/auth', auth.rateLimit, (req, res) => {
     const { password } = req.body || {};
-    if (password === auth.password) {
+    if (auth.safeCompare(password, auth.password)) {
       const token = auth.generateToken();
       res.cookie('pty_token', token, {
         httpOnly: true,

package/src/server/websocket.js

@@ -127,7 +127,7 @@ function setupWebSocket(wss, { auth, sessions, copilotService }) {
             return;
           }
 
-          if (msg.password === auth.password || auth.validateToken(msg.token)) {
+          if (auth.safeCompare(msg.password, auth.password) || auth.validateToken(msg.token)) {
             authenticated = true;
             ws.send(JSON.stringify({ type: 'auth_ok' }));
             log.info('WS: auth success');