From cce9a1d0b0df382a67c52be8a341e5333f33cfb2 Mon Sep 17 00:00:00 2001
From: uzlopak <aras.abbasi@googlemail.com>
Date: Tue, 29 Nov 2022 12:47:53 +0100
Subject: [PATCH 1/2] add example

---
 example/example.js | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 example/example.js

diff --git a/example/example.js b/example/example.js
new file mode 100644
index 0000000..e3dd0f3
--- /dev/null
+++ b/example/example.js
@@ -0,0 +1,29 @@
+'use strict'
+
+const fastify = require('fastify')()
+const authenticate = {realm: 'Westeros'}
+
+const validUsername = 'Tyrion'
+const validPassword = 'wine'
+
+fastify.register(require('..'), { validate, authenticate })
+// `this` inside validate is `fastify`
+function validate (username, password, req, reply, done) {
+  if (username === validUsername && password === validPassword) {
+    done()
+  } else {
+    done(new Error('Winter is coming'))
+  }
+}
+
+fastify.after(() => {
+  fastify.addHook('onRequest', fastify.basicAuth)
+
+  fastify.get('/', (req, reply) => {
+    reply.send({ hello: 'world' })
+  })
+})
+
+const basicAuthCredentials = Buffer.from(`${validUsername}:${validPassword}`).toString('base64')
+console.log(`curl -H "authorization: Basic ${basicAuthCredentials}" http://localhost:3000`)
+fastify.listen({ port: 3000 })
\ No newline at end of file

From cb840c87b9bed9b7dcae273fe7da9d48528137ea Mon Sep 17 00:00:00 2001
From: uzlopak <aras.abbasi@googlemail.com>
Date: Tue, 29 Nov 2022 15:51:22 +0100
Subject: [PATCH 2/2] use timingSafeEqual

---
 example/example.js | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/example/example.js b/example/example.js
index e3dd0f3..d4d069d 100644
--- a/example/example.js
+++ b/example/example.js
@@ -1,15 +1,33 @@
 'use strict'
 
 const fastify = require('fastify')()
-const authenticate = {realm: 'Westeros'}
+const crypto = require('crypto')
+const authenticate = { realm: 'Westeros' }
 
 const validUsername = 'Tyrion'
 const validPassword = 'wine'
 
 fastify.register(require('..'), { validate, authenticate })
+
+// perform constant-time comparison to prevent timing attacks
+function compare (a, b) {
+  a = Buffer.from(a)
+  b = Buffer.from(b)
+  if (a.length !== b.length) {
+    // Delay return with cryptographically secure timing check.
+    crypto.timingSafeEqual(a, a)
+    return false
+  }
+
+  return crypto.timingSafeEqual(a, b)
+}
+
 // `this` inside validate is `fastify`
 function validate (username, password, req, reply, done) {
-  if (username === validUsername && password === validPassword) {
+  let result = true
+  result = compare(username, validUsername) && result
+  result = compare(password, validPassword) && result
+  if (result) {
     done()
   } else {
     done(new Error('Winter is coming'))
@@ -26,4 +44,4 @@ fastify.after(() => {
 
 const basicAuthCredentials = Buffer.from(`${validUsername}:${validPassword}`).toString('base64')
 console.log(`curl -H "authorization: Basic ${basicAuthCredentials}" http://localhost:3000`)
-fastify.listen({ port: 3000 })
\ No newline at end of file
+fastify.listen({ port: 3000 })