From 989018553a19c927668b160104caed66929d0e50 Mon Sep 17 00:00:00 2001
From: Russell Cohen <russell.r.cohen@gmail.com>
Date: Mon, 8 Jan 2018 15:47:08 -0800
Subject: [PATCH] Blind code comparision to timing attacks

---
 index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.js b/index.js
index 3052c5e..6f53e32 100644
--- a/index.js
+++ b/index.js
@@ -116,7 +116,7 @@ hotp.verify = function(token, key, opt) {
 	// a correct code
 	for(var i = counter - window; i <=  counter + window; ++i) {
 		opt.counter = i;
-		if(this.gen(key, opt) === token) {
+		if((this.gen(key, opt) ^ token) === 0) {
 			// We have found a matching code, trigger callback
 			// and pass offset
 			return { delta: i - counter };