[koa-shopify-auth] ➖ Remove the need for external safe-compare

packages/koa-shopify-auth/CHANGELOG.md

@@ -5,7 +5,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
-<!-- ## [Unreleased] -->
+## [Unreleased]
+
+### Removed
+
+- Removes `safe-compare` as a dependency, preferring Node's `crypto.timingSafeEqual` [1470](https://github.com/Shopify/quilt/pull/1470)
 
 ## [3.1.63] - 2020-05-25
 

packages/koa-shopify-auth/package.json

@@ -26,15 +26,13 @@
     "@shopify/network": "^1.4.7",
     "koa-compose": ">=3.0.0 <4.0.0",
     "nonce": "^1.0.4",
-    "safe-compare": "^1.1.2",
     "tslib": "^1.9.3"
   },
   "devDependencies": {
     "@shopify/jest-dom-mocks": "^2.9.0",
     "@shopify/jest-koa-mocks": "^2.2.2",
     "@types/koa": "^2.0.0",
     "@types/koa-compose": "*",
-    "@types/safe-compare": "^1.1.0",
     "koa": "^2.5.0"
   },
   "sideEffects": false,

packages/koa-shopify-auth/src/auth/safe-compare.ts

@@ -0,0 +1,15 @@
+import crypto from 'crypto';
+
+export default function safeCompare(stringA: string, stringB: string) {
+  const aLen = Buffer.byteLength(stringA);
+  const bLen = Buffer.byteLength(stringB);
+
+  // Turn strings into buffers with equal length
+  // to avoid leaking the length
+  const buffA = Buffer.alloc(aLen, 0, 'utf8');
+  buffA.write(stringA);
+  const buffB = Buffer.alloc(aLen, 0, 'utf8');
+  buffB.write(stringB);
+
+  return crypto.timingSafeEqual(buffA, buffB) && aLen === bLen;
+}

packages/koa-shopify-auth/src/auth/test/validate-hmac.test.ts

@@ -1,10 +1,10 @@
 import validateHmac from '../validate-hmac';
 
-jest.mock('safe-compare', () => {
+jest.mock('../safe-compare', () => {
   return jest.fn((first: string, second: string) => first === second);
 });
 
-const safeCompare = require.requireMock('safe-compare');
+const safeCompare = require.requireMock('../safe-compare');
 const data = {fiz: 'buzz', foo: 'bar'};
 const secret = 'some secret';
 const hmac = '7c66606415117ff9744a2a9b2be1712a15928b5ef474ab1a9ff5dc36b7dcaed8';

packages/koa-shopify-auth/src/auth/validate-hmac.ts

@@ -2,7 +2,8 @@ import querystring from 'querystring';
 import crypto from 'crypto';
 
 import {Context} from 'koa';
-import safeCompare from 'safe-compare';
+
+import safeCompare from './safe-compare';
 
 export default function validateHmac(
   hmac: string,

yarn.lock

@@ -1801,11 +1801,6 @@
     "@types/prop-types" "*"
     csstype "^2.2.0"
 
-"@types/safe-compare@^1.1.0":
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/@types/safe-compare/-/safe-compare-1.1.0.tgz#47ed9b9ca51a3a791b431cd59b28f47fa9bf1224"
-  integrity sha512-1ri+LJhh0gRxIa37IpGytdaW7yDEHeJniBSMD1BmitS07R1j63brcYCzry+l0WJvGdEKQNQ7DYXO2epgborWPw==
-
 "@types/serve-static@*":
   version "1.13.3"
   resolved "https://registry.yarnpkg.com/@types/serve-static/-/serve-static-1.13.3.tgz#eb7e1c41c4468272557e897e9171ded5e2ded9d1"
@@ -10349,7 +10344,7 @@ safe-buffer@^5.0.1, safe-buffer@^5.1.0, safe-buffer@^5.1.1, safe-buffer@^5.1.2,
   resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.2.0.tgz#b74daec49b1148f88c64b68d49b1e815c1f2f519"
   integrity sha512-fZEwUGbVl7kouZs1jCdMLdt95hdIv0ZeHg6L7qPeciMZhZ+/gdesW4wgTARkrFWEpspjEATAzUGPG8N2jJiwbg==
 
-safe-compare@^1.1.2, safe-compare@^1.1.3:
+safe-compare@^1.1.3:
   version "1.1.4"
   resolved "https://registry.yarnpkg.com/safe-compare/-/safe-compare-1.1.4.tgz#5e0128538a82820e2e9250cd78e45da6786ba593"
   integrity sha512-b9wZ986HHCo/HbKrRpBJb2kqXMK9CEWIE1egeEvZsYn69ay3kdfl9nG3RyOcR+jInTDf7a86WQ1d4VJX7goSSQ==