Use constant-time token comparison

2025-09-08 07:18:47 +00:00 · 2025-08-03 12:39:43 -04:00
parent 23a3ae3928
commit 3dc10ae448
1 changed files with 2 additions and 1 deletions
--- a/src/seedpass/api.py
+++ b/src/seedpass/api.py
@@ -17,6 +17,7 @@ import asyncio
 import sys
 from fastapi.middleware.cors import CORSMiddleware
 import hashlib
+import hmac

 from slowapi import Limiter, _rate_limit_exceeded_handler
 from slowapi.errors import RateLimitExceeded
@@ -50,7 +51,7 @@ def _check_token(auth: str | None) -> None:
        raise HTTPException(status_code=401, detail="Token expired")
    except jwt.InvalidTokenError:
        raise HTTPException(status_code=401, detail="Unauthorized")
-    if hashlib.sha256(token.encode()).hexdigest() != _token:
+    if not hmac.compare_digest(hashlib.sha256(token.encode()).hexdigest(), _token):
        raise HTTPException(status_code=401, detail="Unauthorized")