Memory Leak in Feathersjs with Hmac Signatures

A memory leak in a Feathersjs service that uses Hmac Signatures typically arises from how authentication state or cryptographic material is retained per request or connection. When Hmac Signatures are used for request authentication, the server must validate a signature derived from a secret key, request metadata (such as timestamp and nonce), and the payload. If the application or an underlying library retains references to request context, buffers, or derived key material beyond the lifecycle of a single request, memory usage grows over time.

In Feathersjs, services are event-driven and can maintain hooks and state. A common pattern is to compute and verify Hmac signatures inside an authentication hook. If this hook allocates buffers, caches derived keys, or pushes data into long-lived objects without cleanup, each authenticated request can contribute to unbounded memory growth. For example, storing per-request state in a module-level map keyed by timestamp or signature, without eviction, creates a retain cycle that prevents garbage collection. Additionally, if the Hmac verification logic uses streaming APIs or large payload buffers and those buffers are retained (e.g., in arrays or logs), the heap can fill with data that is never released.

Long-lived server processes exacerbate this: as traffic increases, the accumulation of orphaned buffers, incomplete promise chains, or cached signature materials increases RSS and heap pressure, eventually degrading performance or causing process instability. This leak is not a flaw in the Hmac algorithm itself but a resource management issue in how Feathersjs hooks and service logic handle cryptographic operations and request-scoped data. Because the authentication extension is invoked for many requests, even small per-request allocations can compound into significant memory consumption.

Another angle is misuse of service hooks where data from Hmac-authenticated requests is pushed into shared containers (e.g., an array intended for analytics or debugging) without bounds or cleanup. If those containers hold references to payloads or signature metadata, the garbage collector cannot reclaim them. Middleware that reads raw request bodies into memory for signature verification must ensure those buffers are released promptly and are not kept alive by closures or event listeners.

To mitigate memory leaks when using Hmac Signatures in Feathersjs, focus on ensuring that per-request cryptographic material and state are not retained beyond the request lifecycle. Use streaming verification where possible, avoid caching derived keys in long-lived structures, and ensure buffers are released. Below is a secure pattern for Hmac authentication in a Feathersjs hook that avoids common retention pitfalls.

const crypto = require('crypto');

// Constant-time comparison helper to avoid timing leaks and ensure predictable behavior
function safeCompare(a, b) {
  if (a.length !== b.length) {
    return false;
  }
  return crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b));
}

// Hmac authentication hook for Feathersjs services
function authenticateHmac(options = {}) {
  const { getSecret } = options;

  return async context => {
    const { headers } = context.params;
    const receivedSignature = headers['x-signature'];
    const timestamp = headers['x-timestamp'];
    const nonce = headers['x-nonce'];

    if (!receivedSignature || !timestamp || !nonce) {
      throw new Error('Missing authentication headers');
    }

    // Prevent replay: ensure timestamp is within an acceptable window (e.g., 5 minutes)
    const now = Date.now();
    const requestTime = Number(timestamp);
    if (Math.abs(now - requestTime) > 5 * 60 * 1000) {
      throw new Error('Request expired');
    }

    // Ensure getSecret is provided and returns a Buffer or string
    const secret = getSecret(context);
    if (!secret) {
      throw new Error('Server configuration error: missing Hmac secret');
    }

    // Build the data to verify without accumulating extra references
    const dataToVerify = `${timestamp}:${nonce}:${context.method}:${context.path}`;
    const computed = crypto.createHmac('sha256', secret)
                           .update(dataToVerify)
                           .digest('hex');

    // Clear variables where possible; Node.js GC will reclaim after function exit
    const isValid = safeCompare(computed, receivedSignature);
    if (!isValid) {
      throw new Error('Invalid signature');
    }

    // Attach minimal auth info to context, avoid attaching large buffers
    context.params.auth = {
      subject: 'hmac',
      timestamp: requestTime,
      nonce
    };

    // Explicitly nullify local references to sensitive material if needed
    // (Node.js will GC after function returns; this is defensive)
    return context;
  };
}

// Usage in a Feathersjs service configuration
const memoryService = app.service('memory');
memoryService.hooks({
  before: {
    all: [authenticateHmac({ getSecret: (ctx) => process.env.HMAC_SECRET })] // Ensure secret is managed securely
  }
});

Key practices to prevent leaks:

• Avoid attaching large buffers or raw payloads to the context or service state; only attach minimal metadata needed for authorization.
• Use streaming APIs for large payloads if you must compute Hmac over the body, and ensure the stream is consumed and released promptly.
• Do not store per-request signature material or derived keys in module-level maps or caches unless you implement strict size-based eviction and TTL.
• Keep hooks small and focused; if you need complex authentication, compose discrete steps and ensure intermediate variables go out of scope.
• Monitor heap usage in production; if you observe steady RSS growth correlated with request volume, audit hooks for retained closures or event listeners.