AntFleet

Disagreement · 034f209b-anthropic-3

Token-shape check accepts payload-only token (`body.`) but rejects empty-mac form; inconsistent guard, narrowly safe

solo Opus
repo e24ef98c·PR #9·reviewed 1 week ago

Opus finding

Token-shape check accepts payload-only token (`body.`) but rejects empty-mac form; inconsistent guard, narrowly safe

lowmaintainabilitymedium
  • apps/web/lib/optin-token.ts:67-70
  • apps/web/lib/optin-token.test.ts:78-82
The guard `dot === token.length - 1` correctly rejects `body.` (no mac). However, `.onlymac` (dot at index 0, empty payload) passes the shape guard and proceeds to compute HMAC over the empty string, then compares against decoded `onlymac`. This is safe (HMAC of empty string != arbitrary bytes), but it's a wasted code path and an inconsistent symmetry — if you reject `body.` you should also reject `.mac`. Since timingSafeEqual rejects on length mismatch and JSON.parse rejects empty string, the net result is `kind: invalid` regardless, but the asymmetry is a maintenance hazard.

Recommendation

Tighten the guard to `dot <= 0 || dot === token.length - 1` so both empty halves short-circuit identically.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗