More secury (thanks �)

2024-11-25 16:23:57 +01:00 · 2023-08-21 21:09:22 +02:00 · 2023-08-21 21:09:22 +02:00 · 998139d4d8
parent eb6ebd2112
commit 998139d4d8
2 changed files with 7 additions and 3 deletions
--- a/api/core.py
+++ b/api/core.py
@ -10,6 +10,7 @@ sys.path.append(project_root)

 import os
 import json
+import hmac
 import fastapi

 from dhooks import Webhook, Embed
@ -31,7 +32,10 @@ async def check_core_auth(request):
    """
    received_auth = request.headers.get('Authorization')

-    if received_auth != os.environ['CORE_API_KEY']:
+    correct_core_api = os.environ['CORE_API_KEY']
+
+    # use hmac.compare_digest to prevent timing attacks
+    if received_auth and hmac.compare_digest(received_auth, correct_core_api):
        return fastapi.Response(status_code=403, content='Invalid or no API key given.')

@router.get('/users')
--- a/api/transfer.py
+++ b/api/transfer.py
@ -44,12 +44,12 @@ async def handle(incoming_request):
    received_key = incoming_request.headers.get('Authorization')

    if not received_key or not received_key.startswith('Bearer '):
-        return await errors.error(401, 'No NovaAI API key given!', 'Add \'Authorization: Bearer nv-...\' to your request headers.')
+        return await errors.error(403, 'No NovaAI API key given!', 'Add \'Authorization: Bearer nv-...\' to your request headers.')

    user = await users.user_by_api_key(received_key.split('Bearer ')[1].strip())

    if not user or not user['status']['active']:
-        return await errors.error(401, 'Invalid or inactive NovaAI API key!', 'Create a new NovaOSS API key or reactivate your account.')
+        return await errors.error(403, 'Invalid or inactive NovaAI API key!', 'Create a new NovaOSS API key or reactivate your account.')

    ban_reason = user['status']['ban_reason']
    if ban_reason: