MCPcopy Index your code
hub / github.com/codeaashu/claude-code / unsign

Method unsign

src/server/web/auth/adapter.ts:133–149  ·  view source on GitHub ↗

* Verifies the HMAC and returns the raw session ID, or null on failure. * Uses constant-time comparison to prevent timing attacks.

(signed: string)

Source from the content-addressed store, hash-verified

131 * Uses constant-time comparison to prevent timing attacks.
132 */
133 unsign(signed: string): string | null {
134 const dot = signed.lastIndexOf(".");
135 if (dot === -1) return null;
136 const id = signed.slice(0, dot);
137 const provided = signed.slice(dot + 1);
138
139 const hmac = createHmac("sha256", this.key);
140 hmac.update(id);
141 const expected = hmac.digest("base64url");
142
143 if (provided.length !== expected.length) return null;
144 let diff = 0;
145 for (let i = 0; i < provided.length; i++) {
146 diff |= provided.charCodeAt(i) ^ expected.charCodeAt(i);
147 }
148 return diff === 0 ? id : null;
149 }
150
151 // ── Request / response helpers ────────────────────────────────────────────
152

Callers 2

getFromRequestMethod · 0.95
getIdFromRequestMethod · 0.95

Calls 1

updateMethod · 0.65

Tested by

no test coverage detected