Using crypto.timingSafeEqual() for comparing auth tokens

elastic · May 23, 2018 · a95f1e0 · a95f1e0
1 parent 5886ebd
commit a95f1e0
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 2 deletions.
diff --git a/x-pack/plugins/beats/server/lib/crypto/are_tokens_equal.js b/x-pack/plugins/beats/server/lib/crypto/are_tokens_equal.js
@@ -0,0 +1,12 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { timingSafeEqual } from 'crypto';
+
+export function areTokensEqual(token1, token2) {
+  return token1.length === token2.length
+    && timingSafeEqual(Buffer.from(token1, 'utf8'), Buffer.from(token2, 'utf8'));
+}
diff --git a/x-pack/plugins/beats/server/lib/crypto/index.js b/x-pack/plugins/beats/server/lib/crypto/index.js
@@ -0,0 +1,7 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export { areTokensEqual } from './are_tokens_equal';
diff --git a/x-pack/plugins/beats/server/routes/api/register_enroll_beat_route.js b/x-pack/plugins/beats/server/routes/api/register_enroll_beat_route.js
@@ -14,6 +14,7 @@ import {
 import { INDEX_NAMES } from '../../../common/constants';
 import { callWithInternalUserFactory } from '../../lib/client';
 import { wrapEsError } from '../../lib/error_wrappers';
+import { areTokensEqual } from '../../lib/crypto';
 
 async function getEnrollmentToken(callWithInternalUser, enrollmentToken) {
   const params = {
@@ -80,7 +81,7 @@ export function registerEnrollBeatRoute(server) {
       try {
         const enrollmentToken = request.headers['kbn-beats-enrollment-token'];
         const { token, expires_on: expiresOn } = await getEnrollmentToken(callWithInternalUser, enrollmentToken);
-        if (!token || token !== enrollmentToken) {
+        if (!token || !areTokensEqual(token, enrollmentToken)) {
           return reply({ message: 'Invalid enrollment token' }).code(400);
         }
         if (moment(expiresOn).isBefore(moment())) {

diff --git a/x-pack/plugins/beats/server/routes/api/register_update_beat_route.js b/x-pack/plugins/beats/server/routes/api/register_update_beat_route.js
@@ -9,6 +9,7 @@ import {  get } from 'lodash';
 import { INDEX_NAMES } from '../../../common/constants';
 import { callWithInternalUserFactory } from '../../lib/client';
 import { wrapEsError } from '../../lib/error_wrappers';
+import { areTokensEqual } from '../../lib/crypto';
 
 async function getBeat(callWithInternalUser, beatId) {
   const params = {
@@ -74,7 +75,7 @@ export function registerUpdateBeatRoute(server) {
           return reply({ message: 'Beat not found' }).code(404);
         }
 
-        const isAccessTokenValid = beat.access_token === request.headers['kbn-beats-access-token'];
+        const isAccessTokenValid = areTokensEqual(beat.access_token, request.headers['kbn-beats-access-token']);
         if (!isAccessTokenValid) {
           return reply({ message: 'Invalid access token' }).code(401);
         }