fix: 🔒 fix timing attack (thx azlux)
All checks were successful
pilotwings / python (push) Successful in 2m27s
pilotwings / node (push) Successful in 33s
pilotwings / docker (push) Successful in 2m23s

This commit is contained in:
Michel Roux 2024-11-07 00:19:38 +01:00
parent 16e4120b24
commit 4ffbf79adc

View File

@ -1,4 +1,5 @@
from os import getenv
from secrets import compare_digest
from typing import Annotated
from fastapi import Depends, HTTPException, Request
@ -29,7 +30,7 @@ async def check_auth(
user_index = usernames.index(credentials.username)
password = passwords[user_index]
if credentials.password != password:
if not compare_digest(credentials.password.encode(), password.encode()):
raise http_401()
return credentials