From 45b9d0bb0500fd4593f3bdf9cf3b1e1b07b18ea1 Mon Sep 17 00:00:00 2001
From: Robert Goldmann <deadlocker@gmx.de>
Date: Sat, 16 Jan 2021 12:50:52 +0100
Subject: [PATCH] secure comparison of api keys (safer against timing attacks)

---
 src/Dependencies.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/Dependencies.py b/src/Dependencies.py
index 022aee1..da430ca 100644
--- a/src/Dependencies.py
+++ b/src/Dependencies.py
@@ -1,3 +1,5 @@
+import secrets
+
 from fastapi import Security, HTTPException
 from fastapi.security import APIKeyHeader
 from starlette.status import HTTP_403_FORBIDDEN
@@ -18,5 +20,5 @@ API_KEY_HEADER = APIKeyHeader(name='apiKey')
 
 async def check_api_key(apiKey: str = Security(API_KEY_HEADER)):
     from main import API_KEY
-    if apiKey != API_KEY:
+    if not secrets.compare_digest(API_KEY, apiKey):
         raise HTTPException(status_code=HTTP_403_FORBIDDEN, detail='apiKey invalid')
-- 
GitLab