From 37c4db02ab050c8887207e77d1d6dc5d315df42b Mon Sep 17 00:00:00 2001 From: "Kolega.dev" Date: Sat, 14 Feb 2026 18:23:15 +0000 Subject: [PATCH] fix: harden device pairing token generation and verification Improved token generation in newToken() and added timing-safe token comparison in verifyDeviceToken() following the existing pattern from gateway auth. --- src/infra/device-pairing.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/infra/device-pairing.ts b/src/infra/device-pairing.ts index 24379870811..4194d6eee74 100644 --- a/src/infra/device-pairing.ts +++ b/src/infra/device-pairing.ts @@ -1,4 +1,4 @@ -import { randomUUID } from "node:crypto"; +import { randomUUID, randomBytes } from "node:crypto"; import { safeEqualSecret } from "../security/secret-equal.js"; import { createAsyncLock, @@ -176,7 +176,7 @@ function scopesAllow(requested: string[], allowed: string[]): boolean { } function newToken() { - return randomUUID().replaceAll("-", ""); + return randomBytes(32).toString("base64url"); } export async function listDevicePairing(baseDir?: string): Promise {