From 656d6e5dd227fc47a13ada8224b33e48d9e35766 Mon Sep 17 00:00:00 2001
From: irl <iain@learmonth.me>
Date: Tue, 19 May 2026 12:53:31 +0100
Subject: [PATCH] feat: timing analysis protection for api key comparison

---
 src/security.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/security.py b/src/security.py
index 6ca35fc..3c49e4a 100644
--- a/src/security.py
+++ b/src/security.py
@@ -1,3 +1,4 @@
+import secrets
 from typing import Annotated
 
 from fastapi import Depends, Header, HTTPException
@@ -10,7 +11,7 @@ def api_key(host: str = Header(), authorization: str | None = Header(None)) -> b
     if host.lower().strip() != settings.API_DOMAIN.strip():
         raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)
     try:
-        if authorization.split()[1] == settings.API_KEY:
+        if secrets.compare_digest(authorization.split()[1], settings.API_KEY):
             return True
         return False
     except AttributeError, TypeError, IndexError: