🔒 [security] Fix timing attack vulnerabilities in IPFS upload and admin routes

relay/src/index.ts

@@ -171,7 +171,10 @@ async function initializeServer() {
 
     // Se ha headers, verifica il token
     if (msg && msg.headers && msg.headers.token) {
-      const hasValidAuth = msg.headers.token === authConfig.adminPassword;
+      const tokenHash = hashToken(msg.headers.token);
+      const adminHash = hashToken(authConfig.adminPassword || "");
+      const hasValidAuth = secureCompare(tokenHash, adminHash);
+
       if (hasValidAuth) {
         loggers.server.info(`🔍 PUT allowed - valid token: ${msg.headers}`);
         return true;
@@ -372,10 +375,13 @@ async function initializeServer() {
       const authHeader = req.headers["authorization"];
       const bearerToken = authHeader && authHeader.split(" ")[1];
       const customToken = req.headers["token"];
-      const formToken = req.query["_auth_token"]; // Token inviato tramite form
+      const formToken = req.query["_auth_token"] as string | undefined; // Token inviato tramite form
       const token = bearerToken || customToken || formToken;
 
-      if (token === authConfig.adminPassword) {
+      const tokenHash = hashToken(token || "");
+      const adminHash = hashToken(authConfig.adminPassword || "");
+
+      if (token && secureCompare(tokenHash, adminHash)) {
         next();
       } else {
         loggers.server.warn(`❌ Accesso negato a ${path} - Token mancante o non valido`);

relay/src/routes/index.ts

@@ -395,7 +395,10 @@ export default (app: express.Application) => {
       (req.headers["authorization"] && (req.headers["authorization"] as string).split(" ")[1]) ||
       req.headers["token"];
 
-    if (token === authConfig.adminPassword) {
+    const tokenHash = hashToken((token as string) || "");
+    const adminHash = hashToken(authConfig.adminPassword || "");
+
+    if (token && secureCompare(tokenHash, adminHash)) {
       res.redirect("/api/v1/ipfs/webui/?auth_token=" + encodeURIComponent(token as string));
       return;
     }
@@ -641,7 +644,10 @@ export default (app: express.Application) => {
       const customToken = req.headers["token"];
       const token = bearerToken || customToken;
 
-      if (token === authConfig.adminPassword) {
+      const tokenHash = hashToken((token as string) || "");
+      const adminHash = hashToken(authConfig.adminPassword || "");
+
+      if (token && secureCompare(tokenHash, adminHash)) {
         next();
       } else {
         res.status(401).json({ success: false, error: "Unauthorized" });

relay/src/routes/ipfs/upload-directory.ts

@@ -3,6 +3,7 @@ import multer from "multer";
 import FormData from "form-data";
 import { loggers } from "../../utils/logger";
 import { authConfig, ipfsConfig } from "../../config";
+import { secureCompare, hashToken } from "../../utils/security";
 import { ipfsUpload } from "../../utils/ipfs-client";
 import type { CustomRequest } from "./types";
 import { GUN_PATHS } from "../../utils/gun-paths";
@@ -24,7 +25,14 @@ router.post(
     const bearerToken = authHeader && authHeader.split(" ")[1];
     const customToken = req.headers["token"];
     const adminToken = bearerToken || customToken;
-    const isAdmin = adminToken === authConfig.adminPassword;
+    const adminTokenStr = Array.isArray(adminToken) ? adminToken[0] : adminToken;
+
+    let isAdmin = false;
+    if (adminTokenStr && typeof adminTokenStr === "string") {
+      const tokenHash = hashToken(adminTokenStr);
+      const adminHash = hashToken(authConfig.adminPassword || "");
+      isAdmin = secureCompare(tokenHash, adminHash);
+    }
 
     const userAddressRaw = req.headers["x-user-address"];
     const userAddress = Array.isArray(userAddressRaw) ? userAddressRaw[0] : userAddressRaw;

relay/src/routes/ipfs/upload.ts

@@ -4,6 +4,7 @@ import multer from "multer";
 import FormData from "form-data";
 import { loggers } from "../../utils/logger";
 import { authConfig, ipfsConfig } from "../../config";
+import { secureCompare, hashToken } from "../../utils/security";
 import { ipfsUpload } from "../../utils/ipfs-client";
 import type { CustomRequest, IpfsRequestOptions } from "./types";
 import { IPFS_API_TOKEN, verifyWalletSignature } from "./utils";
@@ -39,7 +40,10 @@ router.post(
 
     if (adminTokenStr && typeof adminTokenStr === "string") {
       // Check admin password
-      if (adminTokenStr === authConfig.adminPassword) {
+      const tokenHash = hashToken(adminTokenStr);
+      const adminHash = hashToken(authConfig.adminPassword || "");
+
+      if (secureCompare(tokenHash, adminHash)) {
         isAdmin = true;
       } else if (adminTokenStr.startsWith("shogun-api-")) {
         // Check API key

relay/src/utils/relay-user.ts

@@ -12,6 +12,7 @@
 import { loggers } from "./logger";
 const log = loggers.relayUser;
 import { authConfig } from "../config/env-config";
+import { secureCompare, hashToken } from "./security";
 import { GUN_PATHS, getGunNode } from "./gun-paths";
 
 // Module state
@@ -281,7 +282,10 @@ export const adminAuthMiddleware = (req: any, res: any, next: any) => {
     return res.status(401).json({ success: false, error: "Unauthorized - Token required" });
   }
 
-  if (token === authConfig.adminPassword) {
+  const tokenHash = hashToken(token);
+  const adminHash = hashToken(authConfig.adminPassword || "");
+
+  if (secureCompare(tokenHash, adminHash)) {
     next();
   } else {
     return res.status(401).json({ success: false, error: "Unauthorized - Invalid token" });