From: Adam Dullage <redacted>
Date: Wed, 24 Aug 2022 06:16:21 +0000 (+0100)
Subject: Mitigate timing attacks at /api/token
X-Git-Url: http://git.99rst.org/?a=commitdiff_plain;h=307121392d80f463b088747fba0f5f2656e3be38;p=flatnotes.git

Mitigate timing attacks at /api/token
---

diff --git a/flatnotes/main.py b/flatnotes/main.py
index d2063d6..cc80dfa 100644
--- a/flatnotes/main.py
+++ b/flatnotes/main.py
@@ -1,5 +1,6 @@
 import logging
 import os
+import secrets
 from typing import List, Literal
 
 from auth import (
@@ -33,10 +34,13 @@ flatnotes = Flatnotes(os.environ["FLATNOTES_PATH"])
 
 @app.post("/api/token")
 async def token(data: LoginModel):
-    if (
-        data.username.lower() != FLATNOTES_USERNAME.lower()
-        or data.password != FLATNOTES_PASSWORD
-    ):
+    username_correct = secrets.compare_digest(
+        FLATNOTES_USERNAME.lower(), data.username.lower()
+    )
+    password_correct = secrets.compare_digest(
+        FLATNOTES_PASSWORD, data.password
+    )
+    if not (username_correct and password_correct):
         raise HTTPException(
             status_code=400, detail="Incorrect username or password"
         )