| # Timing safe string compare using double HMAC | 
|   | 
| [](https://nodejs.org/en/download) | 
| [](https://npmjs.org/package/tsscmp) | 
| [](https://npmjs.org/package/tsscmp) | 
| [](https://travis-ci.org/suryagh/tsscmp) | 
| [](https://ci.appveyor.com/project/suryagh/tsscmp) | 
| [](https://david-dm.org/suryagh/tsscmp) | 
| [](LICENSE) | 
|   | 
|   | 
| Prevents [timing attacks](http://codahale.com/a-lesson-in-timing-attacks/) using Brad Hill's | 
| [Double HMAC pattern](https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/february/double-hmac-verification/) | 
| to perform secure string comparison. Double HMAC avoids the timing atacks by blinding the | 
| timing channel using random time per attempt comparison against iterative brute force attacks. | 
|   | 
|   | 
| ## Install | 
|   | 
| ``` | 
| npm install tsscmp | 
| ``` | 
| ## Why | 
| To compare secret values like **authentication tokens**, **passwords** or | 
| **capability urls** so that timing information is not | 
| leaked to the attacker. | 
|   | 
| ## Example | 
|   | 
| ```js | 
| var timingSafeCompare = require('tsscmp'); | 
|   | 
| var sessionToken = '127e6fbfe24a750e72930c'; | 
| var givenToken = '127e6fbfe24a750e72930c'; | 
|   | 
| if (timingSafeCompare(sessionToken, givenToken)) { | 
|   console.log('good token'); | 
| } else { | 
|   console.log('bad token'); | 
| } | 
| ``` | 
| ##License:  | 
| [MIT](LICENSE) | 
|   | 
| **Credits to:**  [@jsha](https://github.com/jsha) | | 
| [@bnoordhuis](https://github.com/bnoordhuis) | | 
| [@suryagh](https://github.com/suryagh) | | 
|   |