thePR0M3TH3AN/seedPass
1
0
Fork 0
mirror of https://github.com/PR0M3TH3AN/SeedPass.git synced 2025-09-09 15:58:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use constant-time token comparison

Browse Source
This commit is contained in:
thePR0M3TH3AN
2025-08-03 12:39:43 -04:00
parent 23a3ae3928
commit 3dc10ae448
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/seedpass/api.py
View File

@@ -17,6 +17,7 @@ import asyncio
import sys import sys
from fastapi.middleware.cors import CORSMiddleware from fastapi.middleware.cors import CORSMiddleware
import hashlib import hashlib
import hmac
from slowapi import Limiter, _rate_limit_exceeded_handler from slowapi import Limiter, _rate_limit_exceeded_handler
from slowapi.errors import RateLimitExceeded from slowapi.errors import RateLimitExceeded
@@ -50,7 +51,7 @@ def _check_token(auth: str | None) -> None:
raise HTTPException(status_code=401, detail="Token expired") raise HTTPException(status_code=401, detail="Token expired")
except jwt.InvalidTokenError: except jwt.InvalidTokenError:
raise HTTPException(status_code=401, detail="Unauthorized") raise HTTPException(status_code=401, detail="Unauthorized")
if hashlib.sha256(token.encode()).hexdigest() != _token: if not hmac.compare_digest(hashlib.sha256(token.encode()).hexdigest(), _token):
raise HTTPException(status_code=401, detail="Unauthorized") raise HTTPException(status_code=401, detail="Unauthorized")