All Posts
February 26, 20260.1.18Jugg.ai

v0.1.18 — fix: use timingSafeEqual for GitHub OAuth state CSRF check

Release v0.1.18: GitHub OAuth State Validation Fix

What changed

  • Replaced plain string comparison (!==) with crypto.timingSafeEqual() in the GitHub OAuth callback state validation
  • Added new verifyOAuthState() helper that safely compares CSRF tokens using constant-time comparison
  • Updated src/app/api/auth/github/callback/route.ts to use the new helper
  • Added 16 Vitest tests covering token validation edge cases

Why it matters

The previous OAuth state check leaked timing information that could allow an attacker to brute-force or infer the CSRF token one byte at a time. The constant-time comparison eliminates this attack vector by ensuring comparison takes the same duration regardless of where bytes differ.

Technical notes

verifyOAuthState() guards against empty inputs and length mismatches before calling timingSafeEqual(), preventing length-mismatch errors and providing a clean boolean result in all cases.

Release Notes

Merged PR #426 (squash, commit 25a4fb78) — a medium-severity security fix replacing the timing-vulnerable !== CSRF state check in the GitHub OAuth callback with crypto.timingSafeEqual() via a new verifyOAuthState helper. Tag v0.1.18 already existed in the repo so no duplicate release was created. The fix ships with 16 new Vitest tests and has no breaking changes.

More Posts

v0.1.58 — release: batch bf0f6f0e (3 features)0.1.58
Mar 3
v0.1.56 — release: batch dc58f33c (3 features)0.1.56
Mar 3
v0.1.54 — release: batch 9765d080 (3 features)0.1.54
Mar 3