Jiseoup/showmycodePublic
EN|KO
  • Code
  • Commits
  • Pull Requests
← Back to list
Merged

fix: use timing-safe comparison and hash cookie value

#21
JiseoupJiseoup · Jun 13, 2026fix/auth-timing-and-cookie-exposure → main
fix
OverviewCommitsFiles changed

What & Why

Replace raw === token checks with crypto.timingSafeEqual to prevent timing attacks. Store HMAC-SHA256 of the share token in the auth cookie instead of the raw value, so that a leaked cookie does not directly expose the master token.

Related Issue

N/A

How to Verify

  1. Access with ?token=<SHARE_TOKEN> → cookie is set and page redirects.
  2. Refresh → cookie-based auth works normally.
  3. Submit token on /unauthorized page → cookie is set and redirects to /.
  4. Try an invalid token → rejected with 401.
  5. Check cookie value in DevTools → hex string (HMAC), not the raw token.

Checklist

  • PR title follows Conventional Commits (feat:, fix:, chore:, refactor:, docs:, i18n:)
  • Translations added to both locales/ko.json and locales/en.json (if UI text changed)
  • Tested on mobile viewport (if UI changed)