Use constant-time comparison for static credentials

Replace plain === string comparison for static password and
username/password auth with timingSafeEqual from node:crypto
to prevent timing side-channel attacks on credential checks.

Also add tests for the full session lifecycle: logging in
with a valid password, using the cookie to access protected
pages, and verifying that forged cookies are rejected.

#561
#564

Co-Authored-By: Claude <noreply@anthropic.com>

Author: dahlia

packages/debugger/src/mod.test.ts

@@ -887,6 +887,66 @@ test("auth password: logout cookie omits Secure on HTTP", async () => {
   );
 });
 
+// ---------- Auth: session lifecycle tests ----------
+
+test("auth password: valid session cookie grants access", async () => {
+  const { federation } = createMockFederation();
+  const exporter = createMockExporter();
+  const auth: FederationDebuggerAuth = {
+    type: "password",
+    password: "secret123",
+  };
+  const dbg = createFederationDebugger(federation, { exporter, auth });
+  // Step 1: login to get a session cookie
+  const loginBody = new URLSearchParams({ password: "secret123" });
+  const loginResponse = await dbg.fetch(
+    new Request("https://example.com/__debug__/login", {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: loginBody.toString(),
+    }),
+    { contextData: undefined },
+  );
+  strictEqual(loginResponse.status, 303);
+  const setCookie = loginResponse.headers.get("set-cookie")!;
+  // Extract the cookie value
+  const cookieValue = setCookie.split(";")[0];
+
+  // Step 2: use the cookie to access a protected page
+  const dashboardResponse = await dbg.fetch(
+    new Request("https://example.com/__debug__/", {
+      headers: { Cookie: cookieValue },
+    }),
+    { contextData: undefined },
+  );
+  strictEqual(dashboardResponse.status, 200);
+  const html = await dashboardResponse.text();
+  ok(html.includes("Fedify Debug Dashboard"));
+});
+
+test("auth password: forged session cookie is rejected", async () => {
+  const { federation } = createMockFederation();
+  const exporter = createMockExporter();
+  const auth: FederationDebuggerAuth = {
+    type: "password",
+    password: "secret123",
+  };
+  const dbg = createFederationDebugger(federation, { exporter, auth });
+  // Use a fake/forged cookie value
+  const response = await dbg.fetch(
+    new Request("https://example.com/__debug__/", {
+      headers: {
+        Cookie: "__fedify_debug_session=deadbeefdeadbeefdeadbeefdeadbeef",
+      },
+    }),
+    { contextData: undefined },
+  );
+  // Should show login form (401), not grant access
+  strictEqual(response.status, 401);
+  const html = await response.text();
+  ok(html.includes("Login Required"));
+});
+
 // ---------- Sink property tests ----------
 
 test("createFederationDebugger exposes a sink property", () => {

packages/debugger/src/mod.tsx

@@ -26,6 +26,7 @@ import {
 import { Hono } from "hono";
 import { getCookie } from "hono/cookie";
 import { AsyncLocalStorage } from "node:async_hooks";
+import { timingSafeEqual } from "node:crypto";
 import { LoginPage } from "./views/login.tsx";
 import { TracesListPage } from "./views/traces-list.tsx";
 import { TraceDetailPage } from "./views/trace-detail.tsx";
@@ -465,6 +466,23 @@ async function verifySession(
   }
 }
 
+/**
+ * Constant-time string comparison to prevent timing attacks on credential
+ * checks.  Uses {@link timingSafeEqual} from `node:crypto` under the hood.
+ */
+function constantTimeEqual(a: string, b: string): boolean {
+  const encoder = new TextEncoder();
+  const bufA = encoder.encode(a);
+  const bufB = encoder.encode(b);
+  if (bufA.byteLength !== bufB.byteLength) {
+    // Still compare to burn the same amount of time regardless, but
+    // the result is always false when lengths differ.
+    timingSafeEqual(bufA, new Uint8Array(bufA.byteLength));
+    return false;
+  }
+  return timingSafeEqual(bufA, bufB);
+}
+
 async function checkAuth(
   auth: FederationDebuggerAuth,
   formData: { username?: string; password: string },
@@ -473,7 +491,7 @@ async function checkAuth(
     if ("authenticate" in auth) {
       return await auth.authenticate(formData.password);
     }
-    return formData.password === auth.password;
+    return constantTimeEqual(formData.password, auth.password);
   }
   if (auth.type === "usernamePassword") {
     if ("authenticate" in auth) {
@@ -482,8 +500,13 @@ async function checkAuth(
         formData.password,
       );
     }
-    return formData.username === auth.username &&
-      formData.password === auth.password;
+    // Check both fields in constant time (don't short-circuit)
+    const usernameMatch = constantTimeEqual(
+      formData.username ?? "",
+      auth.username,
+    );
+    const passwordMatch = constantTimeEqual(formData.password, auth.password);
+    return usernameMatch && passwordMatch;
   }
   return false;
 }