From 36cc39754862d548b07e3c616d06dd79eed2aa4d Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sat, 4 Apr 2026 19:49:25 +0900
Subject: [PATCH] fix: reuse shared Synology Chat secret compare

---
 CHANGELOG.md                             |  1 +
 extensions/synology-chat/src/security.ts | 13 +++----------
 2 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1d7cc1d23d6..348ef668a26 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -34,6 +34,7 @@ Docs: https://docs.openclaw.ai
 
 ### Fixes
 
+- Synology Chat/security: route webhook token comparison through the shared constant-time secret helper for consistency with other bundled plugins.
 - Models/MiniMax: honor `MINIMAX_API_HOST` for implicit bundled MiniMax provider catalogs so China-hosted API-key setups pick `api.minimaxi.com/anthropic` without manual provider config. (#34524) Thanks @caiqinghua.
 - Usage/MiniMax: invert remaining-style `usage_percent` fields when MiniMax reports only remaining percentage data, so usage bars stop showing nearly-full remaining quota as nearly-exhausted usage. (#60254) Thanks @jwchmodx.
 - MiniMax: advertise image input on bundled `MiniMax-M2.7` and `MiniMax-M2.7-highspeed` model definitions so image-capable flows can route through the M2.7 family correctly. (#54843) Thanks @MerlinMiao88888888.
diff --git a/extensions/synology-chat/src/security.ts b/extensions/synology-chat/src/security.ts
index c6a10560efb..4b65ea8c273 100644
--- a/extensions/synology-chat/src/security.ts
+++ b/extensions/synology-chat/src/security.ts
@@ -2,7 +2,7 @@
  * Security module: token validation, rate limiting, input sanitization, user allowlist.
  */
 
-import * as crypto from "node:crypto";
+import { safeEqualSecret } from "openclaw/plugin-sdk/browser-support";
 import {
   createFixedWindowRateLimiter,
   type FixedWindowRateLimiter,
@@ -14,18 +14,11 @@ export type DmAuthorizationResult =
 
 /**
  * Validate webhook token using constant-time comparison.
- * Prevents timing attacks that could leak token bytes.
+ * Reject empty tokens explicitly; use shared constant-time comparison otherwise.
  */
 export function validateToken(received: string, expected: string): boolean {
   if (!received || !expected) return false;
-
-  // Use HMAC to normalize lengths before comparison,
-  // preventing timing side-channel on token length.
-  const key = "openclaw-token-cmp";
-  const a = crypto.createHmac("sha256", key).update(received).digest();
-  const b = crypto.createHmac("sha256", key).update(expected).digest();
-
-  return crypto.timingSafeEqual(a, b);
+  return safeEqualSecret(received, expected);
 }
 
 /**