Fix timing attack vulnerability in API key comparison
Co-authored-by: blackboxprogramming <118287761+blackboxprogramming@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
@@ -1,5 +1,6 @@
|
|||||||
from __future__ import annotations
|
from __future__ import annotations
|
||||||
|
|
||||||
|
import secrets
|
||||||
from typing import List, Optional
|
from typing import List, Optional
|
||||||
|
|
||||||
from fastapi import Depends, Header, HTTPException, status
|
from fastapi import Depends, Header, HTTPException, status
|
||||||
@@ -23,7 +24,7 @@ def api_key_auth(
|
|||||||
if not provided_key and authorization and authorization.startswith("Bearer "):
|
if not provided_key and authorization and authorization.startswith("Bearer "):
|
||||||
provided_key = authorization.split(" ", 1)[1]
|
provided_key = authorization.split(" ", 1)[1]
|
||||||
|
|
||||||
if provided_key in api_keys:
|
if provided_key and any(secrets.compare_digest(provided_key, key) for key in api_keys):
|
||||||
return True
|
return True
|
||||||
|
|
||||||
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid API key")
|
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid API key")
|
||||||
|
|||||||
Reference in New Issue
Block a user