From 4ffbf79adc3a3446c42cff3bb68f633e2b5b3210 Mon Sep 17 00:00:00 2001 From: Michel Roux Date: Thu, 7 Nov 2024 00:19:38 +0100 Subject: [PATCH] fix: :lock: fix timing attack (thx azlux) --- backend/security.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/backend/security.py b/backend/security.py index 80ec107..a392aaa 100644 --- a/backend/security.py +++ b/backend/security.py @@ -1,4 +1,5 @@ from os import getenv +from secrets import compare_digest from typing import Annotated from fastapi import Depends, HTTPException, Request @@ -29,7 +30,7 @@ async def check_auth( user_index = usernames.index(credentials.username) password = passwords[user_index] - if credentials.password != password: + if not compare_digest(credentials.password.encode(), password.encode()): raise http_401() return credentials