sr2/snapdirect
6
0
Fork 0
Code Issues 10 Pull requests Projects Releases Packages Wiki Activity Actions

feat: timing analysis protection for api key comparison

Browse source
This commit is contained in:
Iain Learmonth 2026-05-19 12:53:31 +01:00
parent 6f8aed8fd9
commit 656d6e5dd2
1 changed files with 2 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/security.py
View file

@ -1,3 +1,4 @@
import secrets
from typing import Annotated from typing import Annotated
from fastapi import Depends, Header, HTTPException from fastapi import Depends, Header, HTTPException
@ -10,7 +11,7 @@ def api_key(host: str = Header(), authorization: str | None = Header(None)) -> b
if host.lower().strip() != settings.API_DOMAIN.strip(): if host.lower().strip() != settings.API_DOMAIN.strip():
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND) raise HTTPException(status_code=status.HTTP_404_NOT_FOUND)
try: try:
if authorization.split()[1] == settings.API_KEY: if secrets.compare_digest(authorization.split()[1], settings.API_KEY):
return True return True
return False return False
except AttributeError, TypeError, IndexError: except AttributeError, TypeError, IndexError: