fix: 🔒 fix timing attack (thx azlux)

2024-11-07 00:19:38 +01:00 · 2024-11-07 00:19:38 +01:00 · 4ffbf79adc
commit 4ffbf79adc
parent 16e4120b24
1 changed files with 2 additions and 1 deletions
--- a/backend/security.py
+++ b/backend/security.py
@ -1,4 +1,5 @@
 from os import getenv
+from secrets import compare_digest
 from typing import Annotated

 from fastapi import Depends, HTTPException, Request
@ -29,7 +30,7 @@ async def check_auth(
    user_index = usernames.index(credentials.username)
    password = passwords[user_index]

-    if credentials.password != password:
+    if not compare_digest(credentials.password.encode(), password.encode()):
        raise http_401()

    return credentials