Congegni
/
sintonia
7
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(api): prevent timing attacke on api key (#1771)

This commit is contained in:
Jonas L 2022-04-17 18:55:18 +02:00 committed by GitHub
parent a090397989
commit 28fc8360a3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
api/libretime_api/permissions.py
View File

@ -1,3 +1,5 @@
from secrets import compare_digest
from django.conf import settings from django.conf import settings
from rest_framework.permissions import BasePermission from rest_framework.permissions import BasePermission
@ -53,8 +55,7 @@ def check_authorization_header(request):
if auth_header.startswith("Api-Key"): if auth_header.startswith("Api-Key"):
token = auth_header.split()[1] token = auth_header.split()[1]
if token == settings.CONFIG.general.api_key: return compare_digest(token, settings.CONFIG.general.api_key)
return True
return False return False