I don't know why sha1 is used at line 42 in https://github.com/tj/node-cookie-signature/blob/master/index.js
At line 42 in index.js you can see
return sha1(mac) == sha1(val) ? str : false;
I've tried changing it to
return mac == val ? str : false;
And it seems that the sign and unsign functions still work correctly.
What is the reason to use sha1 here? Is it a kind of security issue? Is sha1 necessary here?
It could help prevent a timing attack. String comparisons will return false on the first character that's different. So the longer a comparison takes, the more characters in the beginning of the string match. An attacker could try to guess the first character, then the next character, and so on.
Granted, such an attack would not be easy. But if latencies are sufficiently low and enough tries can be made at a high rate, it could be an issue.
By taking a hash, the comparison effectively becomes constant time.