From 7e252f089239729b1cb6a954918e4e4d91f806f2 Mon Sep 17 00:00:00 2001
From: Tom Moor <tom@getoutline.com>
Date: Mon, 1 Jun 2026 22:07:09 -0400
Subject: [PATCH] fix: Add missing safeEqual to notification unsubscribe
 endpoints (#12551)

---
 server/routes/api/notifications/notifications.ts | 2 +-
 server/routes/api/subscriptions/subscriptions.ts | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/server/routes/api/notifications/notifications.ts b/server/routes/api/notifications/notifications.ts
index 877079a307..13d8c617f2 100644
--- a/server/routes/api/notifications/notifications.ts
+++ b/server/routes/api/notifications/notifications.ts
@@ -39,7 +39,7 @@ const handleUnsubscribe = async (
     eventType
   );
 
-  if (unsubscribeToken !== token) {
+  if (!safeEqual(unsubscribeToken, token)) {
     ctx.redirect(`${env.URL}?notice=invalid-auth`);
     return;
   }
diff --git a/server/routes/api/subscriptions/subscriptions.ts b/server/routes/api/subscriptions/subscriptions.ts
index cd95682a29..9fdc5ffa7b 100644
--- a/server/routes/api/subscriptions/subscriptions.ts
+++ b/server/routes/api/subscriptions/subscriptions.ts
@@ -15,6 +15,7 @@ import { authorize } from "@server/policies";
 import { presentSubscription } from "@server/presenters";
 import type { APIContext } from "@server/types";
 import { RateLimiterStrategy } from "@server/utils/RateLimiter";
+import { safeEqual } from "@server/utils/crypto";
 import pagination from "../middlewares/pagination";
 import * as T from "./schema";
 
@@ -171,7 +172,7 @@ router.get(
       documentId
     );
 
-    if (unsubscribeToken !== token) {
+    if (!safeEqual(unsubscribeToken, token)) {
       ctx.redirect(`${env.URL}?notice=invalid-auth`);
       return;
     }