From 28fc8360a3cb6ab5dc5893d1971e39a862631244 Mon Sep 17 00:00:00 2001
From: Jonas L <jooola@users.noreply.github.com>
Date: Sun, 17 Apr 2022 18:55:18 +0200
Subject: [PATCH] fix(api): prevent timing attacke on api key (#1771)

---
 api/libretime_api/permissions.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/api/libretime_api/permissions.py b/api/libretime_api/permissions.py
index 27eca1368..a478e98ab 100644
--- a/api/libretime_api/permissions.py
+++ b/api/libretime_api/permissions.py
@@ -1,3 +1,5 @@
+from secrets import compare_digest
+
 from django.conf import settings
 from rest_framework.permissions import BasePermission
 
@@ -53,8 +55,7 @@ def check_authorization_header(request):
 
     if auth_header.startswith("Api-Key"):
         token = auth_header.split()[1]
-        if token == settings.CONFIG.general.api_key:
-            return True
+        return compare_digest(token, settings.CONFIG.general.api_key)
     return False