🛡️ Sentinel: [CRITICAL] Fix timing attack vulnerability in secret comparisons

[aloewright]

🚨 Severity: CRITICAL
💡 Vulnerability: The timingSafeEqual function from hono/utils/buffer was called with raw JS string arguments. Due to JS engine optimizations (like flat vs rope strings), comparing strings byte-by-byte can still leak timing information, making it vulnerable to side-channel attacks.
🎯 Impact: Attackers could potentially exploit timing differences to guess webhook secrets or the x-admin-key, leading to unauthorized access or forged webhooks.
🔧 Fix: Updated the timingSafeEqual calls in apps/quill/src/routes/admin.ts and apps/quill/src/lib/polar.ts to explicitly encode the string arguments into Uint8Array byte buffers using new TextEncoder().encode() before comparing them. This ensures a true constant-time comparison.
✅ Verification: Ran pnpm check and pnpm typecheck to verify no type or formatting errors were introduced. Reviewer approved.

---

PR created automatically by Jules for task 6604547924413852452 started by @aloewright

Summary by CodeRabbit

• Bug Fixes
  • Enhanced security for webhook signature verification and admin authentication mechanisms.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9f415054-8d7c-4aed-ba9d-60f7f1d53b3e

📥 Commits

Reviewing files that changed from the base of the PR and between bab8f67 and b5fa4df.

📒 Files selected for processing (2)

• apps/quill/src/lib/polar.ts
• apps/quill/src/routes/admin.ts

---

Walkthrough

This PR hardens timing-safe equality comparisons by encoding string credentials to byte arrays before calling timingSafeEqual. Webhook signature verification and admin API key authentication now convert both compared values to bytes, improving security against timing attacks.

Changes

Timing-safe equality comparisons

Layer / File(s)	Summary
Encode strings to bytes for timingSafeEqual apps/quill/src/lib/polar.ts, apps/quill/src/routes/admin.ts	Webhook signature verification and admin API key validation now use TextEncoder to convert string values to byte arrays before calling timingSafeEqual, replacing direct string comparisons.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies the main change: fixing a timing attack vulnerability in secret comparisons using timingSafeEqual with encoded byte arrays.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel-fix-timing-attack-6604547924413852452

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

Warning

Review ran into problems

🔥 Problems

These MCP integrations need to be re-authenticated in the Integrations settings: Sentry

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	postpilot	b5fa4df	May 30 2026, 05:34 AM

[gemini-code-assist]

Code Review

This pull request updates webhook verification and admin middleware to encode string values into Uint8Array using TextEncoder before passing them to timingSafeEqual. The review feedback recommends optimizing performance and reducing garbage collection overhead by reusing a single TextEncoder instance instead of instantiating it multiple times on every iteration or request.

[gemini-code-assist]

Instantiating new TextEncoder() twice on every iteration of the loop creates unnecessary garbage collection overhead and CPU cycles. Since timingSafeEqual from hono/utils/buffer internally instantiates new TextEncoder() if passed raw strings, passing pre-encoded Uint8Arrays is a good way to avoid this. However, we should reuse a single TextEncoder instance to prevent redundant allocations.

Additionally, consider defining a single TextEncoder instance at the module level of this file to reuse it across all helper functions (such as on lines 168 and 178).

    if (version === "v1" && sig) {
      const encoder = new TextEncoder();
      if (
        await timingSafeEqual(
          encoder.encode(sig),
          encoder.encode(expected)
        )
      ) {
        return true;
      }
    }

[gemini-code-assist]

Instantiating new TextEncoder() twice on every request to the admin middleware adds unnecessary allocation overhead. Creating a single TextEncoder instance and reusing it to encode both strings avoids this overhead and improves performance.

Suggested change

	if (
	!provided ||
	!(await timingSafeEqual(
	new TextEncoder().encode(expected),
	new TextEncoder().encode(provided)
	))
	) {
	const encoder = new TextEncoder();
	if (
	!provided ||
	!(await timingSafeEqual(
	encoder.encode(expected),
	encoder.encode(provided)
	))
	) {

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b5fa4df8aa

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep timingSafeEqual inputs as strings

When x-admin-key is correct, this still rejects every request because Hono's timingSafeEqual hashes the two inputs and then also requires a === b; two freshly encoded Uint8Array objects are never the same reference. In the admin middleware this means all admin endpoints return 401 for any configured key, so the comparison needs to pass strings or use a byte comparator that actually compares buffer contents.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Keep webhook signature inputs comparable

For valid Polar webhooks, this comparison now always evaluates false because each TextEncoder().encode(...) call creates a distinct Uint8Array, while Hono's timingSafeEqual additionally checks input identity with a === b after hashing. As a result no v1 signature can match and all webhook deliveries are rejected, so this should pass comparable values or switch to an actual byte-safe equality helper.

Useful? React with 👍 / 👎.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.