From d73c319f7218b37eea6d18dd466f06b942f914a3 Mon Sep 17 00:00:00 2001
From: Julian Rother <julian@cccv.de>
Date: Tue, 7 Sep 2021 01:09:32 +0200
Subject: [PATCH] Verify api keys in constant-time

This is just a quick fix. The verification code needs further work and
breaking changes of the config schema.
---
 uffd/api/views.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/uffd/api/views.py b/uffd/api/views.py
index 18104c29..bc9aa0dd 100644
--- a/uffd/api/views.py
+++ b/uffd/api/views.py
@@ -1,4 +1,5 @@
 import functools
+import secrets
 
 from flask import Blueprint, jsonify, current_app, request, abort
 
@@ -15,7 +16,10 @@ def apikey_required(scope=None):
 			if 'Authorization' not in request.headers or not request.headers['Authorization'].startswith('Bearer '):
 				return 'Unauthorized', 401, {'WWW-Authenticate': 'Bearer'}
 			token = request.headers['Authorization'][7:].strip()
-			request.api_client = current_app.config['API_CLIENTS'].get(token)
+			request.api_client = None
+			for client_token, client in current_app.config['API_CLIENTS'].items():
+				if secrets.compare_digest(client_token, token):
+					request.api_client = client
 			if request.api_client is None:
 				return 'Unauthorized', 401, {'WWW-Authenticate': 'Bearer error="invalid_token"'}
 			if scope is not None and scope not in request.api_client.get('scopes', []):
-- 
GitLab