From 3dc10ae44859e9ef1b74294609e717ac78ab41d8 Mon Sep 17 00:00:00 2001
From: thePR0M3TH3AN <53631862+PR0M3TH3AN@users.noreply.github.com>
Date: Sun, 3 Aug 2025 12:39:43 -0400
Subject: [PATCH] Use constant-time token comparison

---
 src/seedpass/api.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/seedpass/api.py b/src/seedpass/api.py
index 8e85955..f4b9864 100644
--- a/src/seedpass/api.py
+++ b/src/seedpass/api.py
@@ -17,6 +17,7 @@ import asyncio
 import sys
 from fastapi.middleware.cors import CORSMiddleware
 import hashlib
+import hmac
 
 from slowapi import Limiter, _rate_limit_exceeded_handler
 from slowapi.errors import RateLimitExceeded
@@ -50,7 +51,7 @@ def _check_token(auth: str | None) -> None:
         raise HTTPException(status_code=401, detail="Token expired")
     except jwt.InvalidTokenError:
         raise HTTPException(status_code=401, detail="Unauthorized")
-    if hashlib.sha256(token.encode()).hexdigest() != _token:
+    if not hmac.compare_digest(hashlib.sha256(token.encode()).hexdigest(), _token):
         raise HTTPException(status_code=401, detail="Unauthorized")