Skip to content
Snippets Groups Projects
Commit d73c319f authored by Julian's avatar Julian
Browse files

Verify api keys in constant-time 

This is just a quick fix. The verification code needs further work and
breaking changes of the config schema.
parent 5cbdc073
Branches
Tags prod-2024-12-10_23-04
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 5 additions and 1 deletion
uffd/api/views.py
+ 5
1
View file @ d73c319f
import functools import functools
import secrets
from flask import Blueprint, jsonify, current_app, request, abort from flask import Blueprint, jsonify, current_app, request, abort
...@@ -15,7 +16,10 @@ def apikey_required(scope=None): ...@@ -15,7 +16,10 @@ def apikey_required(scope=None):
if 'Authorization' not in request.headers or not request.headers['Authorization'].startswith('Bearer '): if 'Authorization' not in request.headers or not request.headers['Authorization'].startswith('Bearer '):
return 'Unauthorized', 401, {'WWW-Authenticate': 'Bearer'} return 'Unauthorized', 401, {'WWW-Authenticate': 'Bearer'}
token = request.headers['Authorization'][7:].strip() token = request.headers['Authorization'][7:].strip()
request.api_client = current_app.config['API_CLIENTS'].get(token) request.api_client = None
for client_token, client in current_app.config['API_CLIENTS'].items():
if secrets.compare_digest(client_token, token):
request.api_client = client
if request.api_client is None: if request.api_client is None:
return 'Unauthorized', 401, {'WWW-Authenticate': 'Bearer error="invalid_token"'} return 'Unauthorized', 401, {'WWW-Authenticate': 'Bearer error="invalid_token"'}
if scope is not None and scope not in request.api_client.get('scopes', []): if scope is not None and scope not in request.api_client.get('scopes', []):
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment

Impressum - Datenschutzerklärung