From 28fc8360a3cb6ab5dc5893d1971e39a862631244 Mon Sep 17 00:00:00 2001 From: Jonas L Date: Sun, 17 Apr 2022 18:55:18 +0200 Subject: [PATCH] fix(api): prevent timing attacke on api key (#1771) --- api/libretime_api/permissions.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/api/libretime_api/permissions.py b/api/libretime_api/permissions.py index 27eca1368..a478e98ab 100644 --- a/api/libretime_api/permissions.py +++ b/api/libretime_api/permissions.py @@ -1,3 +1,5 @@ +from secrets import compare_digest + from django.conf import settings from rest_framework.permissions import BasePermission @@ -53,8 +55,7 @@ def check_authorization_header(request): if auth_header.startswith("Api-Key"): token = auth_header.split()[1] - if token == settings.CONFIG.general.api_key: - return True + return compare_digest(token, settings.CONFIG.general.api_key) return False