Security: timing-vulnerable credential comparison in billing and mail-bridge (CWE-208)

## Summary

Two service authentication checks use direct `===` comparison for API key validation, which is vulnerable to timing attacks (CWE-208).

## Locations

1. **`ee/apps/billing/app.ts`**, line 31: `authToken === env.BILLING_KEY`
2. **`apps/mail-bridge/app.ts`**, line 34: `authToken === env.MAILBRIDGE_KEY`

## Impact

An attacker with network access can potentially extract service API keys through statistical analysis of response timing. The `===` operator short-circuits on the first differing character, leaking information about how many leading characters match.

## Suggested Fix

Replace `===` with `crypto.timingSafeEqual()` using SHA-256 digests to ensure constant-time comparison regardless of input length.

---
*Found by [SpiderShield](https://github.com/teehooai/spidershield) security scanner*

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: timing-vulnerable credential comparison in billing and mail-bridge (CWE-208) #787

Summary

Locations

Impact

Suggested Fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Security: timing-vulnerable credential comparison in billing and mail-bridge (CWE-208) #787

Description

Summary

Locations

Impact

Suggested Fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions