Use constant-time compare for admin auth

Author: vdavid

apps/license-server/src/index.ts

@@ -1,7 +1,7 @@
 import { Hono } from 'hono'
 import { generateLicenseKey, generateShortCode, isValidShortCode, type LicenseType } from './license'
 import { sendLicenseEmail } from './email'
-import { verifyPaddleWebhookMulti } from './paddle'
+import { constantTimeEqual, verifyPaddleWebhookMulti } from './paddle'
 import {
     getSubscriptionStatus,
     getLicenseTypeFromPriceId,
@@ -349,7 +349,7 @@ app.post('/admin/generate', async (c) => {
     const validSecrets = [c.env.PADDLE_WEBHOOK_SECRET_LIVE, c.env.PADDLE_WEBHOOK_SECRET_SANDBOX].filter(
         (s): s is string => !!s,
     )
-    const isAuthorized = validSecrets.some((secret) => authHeader === `Bearer ${secret}`)
+    const isAuthorized = validSecrets.some((secret) => constantTimeEqual(authHeader ?? '', `Bearer ${secret}`))
     if (!isAuthorized) {
         return c.json({ error: 'Unauthorized' }, 401)
     }

apps/license-server/src/paddle.ts

@@ -1,5 +1,5 @@
 /** XOR-accumulate comparison that always inspects every byte, preventing timing attacks. */
-function constantTimeEqual(a: string, b: string): boolean {
+export function constantTimeEqual(a: string, b: string): boolean {
     if (a.length !== b.length) return false
     let mismatch = 0
     for (let i = 0; i < a.length; i++) {