Return false as early as possible

7b28baf3 · Anthony Morris · c5433ae2 · 7b28baf3
Commit 7b28baf3 authored Oct 01, 2020 by Anthony Morris
--- a/src/auth/safe-compare.ts
+++ b/src/auth/safe-compare.ts
@@ -4,11 +4,15 @@ export default function safeCompare(stringA: string, stringB: string) {
    const aLen = Buffer.byteLength(stringA);
    const bLen = Buffer.byteLength(stringB);

+    if (aLen !== bLen) {
+        return false
+    }
+
    // Turn strings into buffers with equal length
    // to avoid leaking the length
    const buffA = Buffer.alloc(aLen, 0, 'utf8');
    buffA.write(stringA);
-    const buffB = Buffer.alloc(aLen, 0, 'utf8');
+    const buffB = Buffer.alloc(bLen, 0, 'utf8');
    buffB.write(stringB);

    return crypto.timingSafeEqual(buffA, buffB) && aLen === bLen;