Security: timing attack in auth comparison (CWE-208)

## Summary

Authentication credentials are compared using `===`/`==` which is vulnerable to timing side-channel attacks (CWE-208).

## Details

- **CWE**: CWE-208 (Observable Timing Discrepancy)
- **Severity**: Medium
- **Files**: `apps/nestjs-backend/src/features/auth/local-auth/local-auth.service.ts`, `apps/nestjs-backend/src/features/auth/permission.service.ts`
- **Impact**: An attacker can determine the secret value by measuring response time differences.

## Suggested Fix

Use constant-time comparison: `crypto.timingSafeEqual()` (Node.js).

---
*Found by [SpiderShield](https://github.com/teehooai/spidershield) security scanner*

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security: timing attack in auth comparison (CWE-208) #2863

Summary

Details

Suggested Fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Security: timing attack in auth comparison (CWE-208) #2863

Description

Summary

Details

Suggested Fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions