Skip to content

fix: harden gateway auth with timing-safe compare, null checks, trust proxy#137

Merged
lukepolo merged 1 commit intomainfrom
audit/371-gateway-hardening
Apr 2, 2026
Merged

fix: harden gateway auth with timing-safe compare, null checks, trust proxy#137
lukepolo merged 1 commit intomainfrom
audit/371-gateway-hardening

Conversation

@Flegma
Copy link
Copy Markdown
Contributor

@Flegma Flegma commented Apr 2, 2026

Summary

Three authentication hardening improvements:

  1. Match events gateway — Replaced !== password comparison with crypto.timingSafeEqual to prevent timing attacks. Added null checks on auth header and base64 credentials. Connections without auth headers are now explicitly rejected. Uses indexOf for credential parsing instead of split (safer with passwords containing :).

  2. Match relay middleware — Added null/type check on x-origin-auth header before parsing. Uses timing-safe comparison for password verification. Safely handles missing or malformed headers with 401.

  3. Trust proxy — Replaced () => true (trust all) with 1 (trust first proxy only), which is the standard for apps behind a single NGINX ingress controller.

Test plan

  • Game servers can still connect via WebSocket with valid credentials
  • Invalid game server credentials are rejected
  • GOTV relay authentication works correctly
  • Client IP addresses resolve correctly through NGINX ingress
  • req.ip returns the real client IP (not the proxy IP)

Closes 5stackgg/5stack-panel#371
Closes 5stackgg/5stack-panel#372

@Flegma
fix: harden gateway auth with timing-safe compare, null checks, trust…
40b18e7 
… proxy

- match-events gateway: use crypto.timingSafeEqual for password comparison,
  add null checks on auth header and credentials, reject connections
  without auth header, use indexOf for safer credential parsing
- match-relay middleware: add null/type check on x-origin-auth header
  before parsing, use timing-safe comparison for password verification
- main.ts: replace trust-all proxy with trust-first-proxy (1) for
  NGINX ingress, removing the TODO placeholder

Closes 5stackgg/5stack-panel#371
Closes 5stackgg/5stack-panel#372
@lukepolo
Copy link
Copy Markdown
Contributor

lukepolo commented Apr 2, 2026

TY TY this is huge!

@lukepolo lukepolo merged commit c4ee3d7 into main Apr 2, 2026
1 check passed
@lukepolo lukepolo deleted the audit/371-gateway-hardening branch April 2, 2026 12:30
@Flegma Flegma mentioned this pull request Apr 2, 2026
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[API] Strengthen request authentication and proxy trust validation [API] Harden match events gateway authentication and message validation

2 participants

@Flegma @lukepolo