From 45b9d0bb0500fd4593f3bdf9cf3b1e1b07b18ea1 Mon Sep 17 00:00:00 2001 From: Robert Goldmann <deadlocker@gmx.de> Date: Sat, 16 Jan 2021 12:50:52 +0100 Subject: [PATCH] secure comparison of api keys (safer against timing attacks) --- src/Dependencies.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/Dependencies.py b/src/Dependencies.py index 022aee1..da430ca 100644 --- a/src/Dependencies.py +++ b/src/Dependencies.py @@ -1,3 +1,5 @@ +import secrets + from fastapi import Security, HTTPException from fastapi.security import APIKeyHeader from starlette.status import HTTP_403_FORBIDDEN @@ -18,5 +20,5 @@ API_KEY_HEADER = APIKeyHeader(name='apiKey') async def check_api_key(apiKey: str = Security(API_KEY_HEADER)): from main import API_KEY - if apiKey != API_KEY: + if not secrets.compare_digest(API_KEY, apiKey): raise HTTPException(status_code=HTTP_403_FORBIDDEN, detail='apiKey invalid') -- GitLab