So, I'm authing a pretty short list of users for a mostly private server, and the login data for these users in stored in an object. The object is structured like {"username":"hash"}. I'd like to know if using something like if(users[username) {timingSafeCompare(hash,users[username])} is considered timing safe.
I thought of using something like
let u = false
for(un in users) {
if(timingSafeCompare(username,un) && timingSafeCompare(hash,users[un])) u = username
}
return u
But again, I'm not sure if that's timing safe.
What would be the best approach to this?
It depends on engine's implementation.
Some engines use hash-tables to store properties and use dynamic lookup, hash tables have O(n) worst case time complexity.
V8 tries to improve it by using hidden classes, and brings down time complexity to O(1) for best case. However as number of props grows it falls back to dynamic lookup.
For Set V8 uses ordered hash table which also has O(1) time complexity.
If you are also going to delete users as well then Set or Map can outperform object. Using Set also makes it more semantically correct.