Skip to content
Snippets Groups Projects
Commit d73c319f authored by Julian's avatar Julian
Browse files

Verify api keys in constant-time 

This is just a quick fix. The verification code needs further work and
breaking changes of the config schema.
parent 5cbdc073
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 5 additions and 1 deletion
uffd/api/views.py
+ 5
1
View file @ d73c319f
import functools import functools
import secrets
from flask import Blueprint, jsonify, current_app, request, abort from flask import Blueprint, jsonify, current_app, request, abort
...@@ -15,7 +16,10 @@ def apikey_required(scope=None): ...@@ -15,7 +16,10 @@ def apikey_required(scope=None):
if 'Authorization' not in request.headers or not request.headers['Authorization'].startswith('Bearer '): if 'Authorization' not in request.headers or not request.headers['Authorization'].startswith('Bearer '):
return 'Unauthorized', 401, {'WWW-Authenticate': 'Bearer'} return 'Unauthorized', 401, {'WWW-Authenticate': 'Bearer'}
token = request.headers['Authorization'][7:].strip() token = request.headers['Authorization'][7:].strip()
request.api_client = current_app.config['API_CLIENTS'].get(token) request.api_client = None
for client_token, client in current_app.config['API_CLIENTS'].items():
if secrets.compare_digest(client_token, token):
request.api_client = client
if request.api_client is None: if request.api_client is None:
return 'Unauthorized', 401, {'WWW-Authenticate': 'Bearer error="invalid_token"'} return 'Unauthorized', 401, {'WWW-Authenticate': 'Bearer error="invalid_token"'}
if scope is not None and scope not in request.api_client.get('scopes', []): if scope is not None and scope not in request.api_client.get('scopes', []):
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment

Impressum - Datenschutzerklärung