fix: harden public routine trigger auth

2026-03-20 13:23:31 -05:00
parent 13fd656e2b
commit a62c264ddf
2 changed files with 10 additions and 3 deletions
--- a/server/src/services/routines.ts
+++ b/server/src/services/routines.ts
@@ -1016,7 +1016,14 @@ export function routineService(db: Db, deps: { heartbeat?: IssueAssignmentWakeup
      const secretValue = await resolveTriggerSecret(trigger, routine.companyId);
      if (trigger.signingMode === "bearer") {
        const expected = `Bearer ${secretValue}`;
-        if (!input.authorizationHeader || input.authorizationHeader.trim() !== expected) {
+        const provided = input.authorizationHeader?.trim() ?? "";
+        const expectedBuf = Buffer.from(expected);
+        const providedBuf = Buffer.alloc(expectedBuf.length);
+        providedBuf.write(provided.slice(0, expectedBuf.length));
+        const valid =
+          provided.length === expected.length &&
+          crypto.timingSafeEqual(providedBuf, expectedBuf);
+        if (!valid) {
          throw unauthorized();
        }
      } else {