Mitigate timing attacks at /api/token

diff --git a/flatnotes/main.py b/flatnotes/main.py
index d2063d69642253b4f9c19fbce0019de77e33deb9..cc80dfa034d031b47d40e9704e70f23243a45f11 100644 (file)
--- a/flatnotes/main.py
+++ b/flatnotes/main.py
@@ -1,5 +1,6 @@
 import logging
 import os
+import secrets
 from typing import List, Literal
 
 from auth import (
@@ -33,10 +34,13 @@ flatnotes = Flatnotes(os.environ["FLATNOTES_PATH"])
 
 @app.post("/api/token")
 async def token(data: LoginModel):
-    if (
-        data.username.lower() != FLATNOTES_USERNAME.lower()
-        or data.password != FLATNOTES_PASSWORD
-    ):
+    username_correct = secrets.compare_digest(
+        FLATNOTES_USERNAME.lower(), data.username.lower()
+    )
+    password_correct = secrets.compare_digest(
+        FLATNOTES_PASSWORD, data.password
+    )
+    if not (username_correct and password_correct):
         raise HTTPException(
             status_code=400, detail="Incorrect username or password"
         )