+1 vote
in NodeJS Essentials by
edited by
Identify the issue in following code snippet?

function checkApiKey (apiKeyFromDb, apiKeyReceived) {

  if (apiKeyFromDb === apiKeyReceived) {

    return true

  }

  return false

}

1 Answer

0 votes
by

As there is no catch after the then. This way the error will be a silent one, there will be no indication of an error thrown.

To fix it, you can do the following:

new Promise((resolve, reject) => {

  throw new Error('error')

}).then(console.log).catch(console.error)

If you have to debug a huge codebase, and you don't know which Promise can potentially hide an issue, you can use the unhandledRejection hook. It will print out all unhandled Promise rejections.

process.on('unhandledRejection', (err) => {

  console.log(err)

})

by
When you compare security credentials it is crucial that you don't leak any information, so you have to make sure that you compare them in fixed time. If you fail to do so, your application will be vulnerable to timing attacks.

But why does it work like that?

V8, the JavaScript engine used by Node.js, tries to optimize the code you run from a performance point of view. It starts comparing the strings character by character, and once a mismatch is found, it stops the comparison operation. So the longer the attacker has right from the password, the more time it takes.

To solve this issue, you can use the npm module called cryptiles.

function checkApiKey (apiKeyFromDb, apiKeyReceived) {

  return cryptiles.fixedTimeComparison(apiKeyFromDb, apiKeyReceived)

}

Related questions

+1 vote
asked May 31, 2020 in NodeJS Essentials by Robindeniel
+1 vote
asked May 31, 2020 in NodeJS Essentials by Robindeniel
...