From: Jérôme Benoit <jerome.benoit@sap.com>
Date: Wed, 11 Feb 2026 15:42:24 +0000 (+0100)
Subject: fix(ui-server): use timing-safe credential comparison
X-Git-Tag: ocpp-server@v2.3.0~12
X-Git-Url: https://git.piment-noir.org/?a=commitdiff_plain;h=f4361496a99566ab76b7e6ff9a37fa4060a84ae3;p=e-mobility-charging-stations-simulator.git

fix(ui-server): use timing-safe credential comparison

Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
---

diff --git a/src/charging-station/ui-server/AbstractUIServer.ts b/src/charging-station/ui-server/AbstractUIServer.ts
index 312a97c4..f9d2aa0d 100644
--- a/src/charging-station/ui-server/AbstractUIServer.ts
+++ b/src/charging-station/ui-server/AbstractUIServer.ts
@@ -23,6 +23,7 @@ import {
 import { isEmpty, logger } from '../../utils/index.js'
 import { UIServiceFactory } from './ui-services/UIServiceFactory.js'
 import { getUsernameAndPasswordFromAuthorizationToken } from './UIServerUtils.js'
+import { isValidCredential } from './UIServerSecurity.js'
 
 const moduleName = 'AbstractUIServer'
 
@@ -226,8 +227,8 @@ export abstract class AbstractUIServer {
 
   private isValidUsernameAndPassword (username: string, password: string): boolean {
     return (
-      this.uiServerConfiguration.authentication?.username === username &&
-      this.uiServerConfiguration.authentication.password === password
+      isValidCredential(username, this.uiServerConfiguration.authentication?.username ?? '') &&
+      isValidCredential(password, this.uiServerConfiguration.authentication?.password ?? '')
     )
   }