Skip to content

feat: safe timing helper#5080

Merged
thetutlage merged 1 commit into7.xfrom
feat/safe-timing
Mar 26, 2026
Merged

feat: safe timing helper#5080
thetutlage merged 1 commit into7.xfrom
feat/safe-timing

Conversation

@Julien-R44
Copy link
Copy Markdown
Member

@Julien-R44 Julien-R44 commented Mar 20, 2026

Add safeTiming helper to prevent timing attacks by ensuring a callback always takes at least a minimum amount of time to execute.

import { safeTiming } from '@adonisjs/core/helpers'

return safeTiming(200, async () => {
  const user = await User.findBy('email', email)
  if (user) await sendResetEmail(user)
  return { message: 'If this email exists, you will receive a reset link.' }
})

supports returnEarly() to skip the delay when you want fast responses on success but constant time on failure

return safeTiming(200, async (timing) => {
  const token = await Token.findBy('value', request.header('x-api-key'))
  if (token) {
    timing.returnEarly()
    return token.owner
  }
  throw new UnauthorizedException()
})

inspired by laravel's timebox. Thought it was nice to have this in the core

@Julien-R44 Julien-R44 requested a review from thetutlage March 20, 2026 21:40
@thetutlage thetutlage merged commit 5793b1f into 7.x Mar 26, 2026
16 checks passed
@thetutlage thetutlage deleted the feat/safe-timing branch March 26, 2026 16:13
@thetutlage
Copy link
Copy Markdown
Member

thetutlage commented Mar 26, 2026

👍🏽

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thetutlage thetutlage Awaiting requested review from thetutlage

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Julien-R44 @thetutlage