Token comparison decodes attacker-controlled base64 length before length check — non-issue but `timingSafeEqual` precondition is checked correctly; however, payload JSON parsing happens after MAC verify which is fine, but the `dot === token.length - 1` guard does not reject tokens whose payload is empty

Opus finding

Token comparison decodes attacker-controlled base64 length before length check — non-issue but `timingSafeEqual` precondition is checked correctly; however, payload JSON parsing happens after MAC verify which is fine, but the `dot === token.length - 1` guard does not reject tokens whose payload is empty

• apps/web/lib/optin-token.ts:62-66
• apps/web/lib/optin-token.ts:67

If `dot === 0` (token like ".mac"), `encodedPayload` is the empty string. The HMAC is computed over an empty payload and the function proceeds to JSON.parse on an empty buffer, which throws and returns invalid — so functionally safe. But the explicit empty-payload guard is missing, so the test case `verifyToken(".onlymac")` happens to pass only because base64-decoded empty MAC has length 0 ≠ expected 32, returning invalid. Still works; defensive guard would clarify intent. Low severity.