From 604203c1795406f64e58cdacc430901327d7005d Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sat, 14 Mar 2026 01:04:18 +0000
Subject: [PATCH] fix: tighten pairing token blank handling

---
 src/infra/pairing-token.test.ts | 5 +++++
 src/infra/pairing-token.ts      | 3 +++
 2 files changed, 8 insertions(+)

diff --git a/src/infra/pairing-token.test.ts b/src/infra/pairing-token.test.ts
index 2d6a5964396..1ef0c8e20d7 100644
--- a/src/infra/pairing-token.test.ts
+++ b/src/infra/pairing-token.test.ts
@@ -27,4 +27,9 @@ describe("verifyPairingToken", () => {
     expect(verifyPairingToken("secret-token", "secret-token")).toBe(true);
     expect(verifyPairingToken("secret-token", "secret-tokEn")).toBe(false);
   });
+
+  it("rejects blank tokens even when both sides match", () => {
+    expect(verifyPairingToken("", "")).toBe(false);
+    expect(verifyPairingToken("   ", "   ")).toBe(false);
+  });
 });
diff --git a/src/infra/pairing-token.ts b/src/infra/pairing-token.ts
index 96960da53b8..7fe0dc2e688 100644
--- a/src/infra/pairing-token.ts
+++ b/src/infra/pairing-token.ts
@@ -8,5 +8,8 @@ export function generatePairingToken(): string {
 }
 
 export function verifyPairingToken(provided: string, expected: string): boolean {
+  if (provided.trim().length === 0 || expected.trim().length === 0) {
+    return false;
+  }
   return safeEqualSecret(provided, expected);
 }