From 23106bfce8add358dc6c2710ca53bbc618e52b7d Mon Sep 17 00:00:00 2001
From: Tom Moor <tom@getoutline.com>
Date: Wed, 13 Aug 2025 22:45:11 -0400
Subject: [PATCH] fix: Use safeEqual in VerificationCode verify method (#9915)

---
 server/utils/VerificationCode.ts | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/server/utils/VerificationCode.ts b/server/utils/VerificationCode.ts
index 2ef0971f6a..733beb3fb0 100644
--- a/server/utils/VerificationCode.ts
+++ b/server/utils/VerificationCode.ts
@@ -1,6 +1,7 @@
 import { randomInt } from "crypto";
 import { Minute } from "@shared/utils/time";
 import Redis from "@server/storage/redis";
+import { safeEqual } from "./crypto";
 
 /**
  * This class manages verification codes for email authentication.
@@ -53,9 +54,9 @@ export class VerificationCode {
    * @param email The email address associated with the code
    * @returns Promise resolving to the code or null if not found
    */
-  public static async retrieve(email: string): Promise<string | null> {
+  public static async retrieve(email: string): Promise<string | undefined> {
     const key = this.getKey(email);
-    return await this.redis.get(key);
+    return (await this.redis.get(key)) ?? undefined;
   }
 
   /**
@@ -67,7 +68,7 @@ export class VerificationCode {
    */
   public static async verify(email: string, code: string): Promise<boolean> {
     const storedCode = await this.retrieve(email);
-    return storedCode === code;
+    return safeEqual(storedCode, code);
   }
 
   /**