From 998139d4d8e0a3504d28bacebe750e90a97b0e1c Mon Sep 17 00:00:00 2001
From: nsde <neostyxde@gmail.com>
Date: Mon, 21 Aug 2023 21:09:22 +0200
Subject: [PATCH] =?UTF-8?q?More=20secury=20(thanks=20=EF=BF=BD)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 api/core.py     | 6 +++++-
 api/transfer.py | 4 ++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/api/core.py b/api/core.py
index ffdb08c..6dd6381 100644
--- a/api/core.py
+++ b/api/core.py
@@ -10,6 +10,7 @@ sys.path.append(project_root)
 
 import os
 import json
+import hmac
 import fastapi
 
 from dhooks import Webhook, Embed
@@ -31,7 +32,10 @@ async def check_core_auth(request):
     """
     received_auth = request.headers.get('Authorization')
 
-    if received_auth != os.environ['CORE_API_KEY']:
+    correct_core_api = os.environ['CORE_API_KEY']
+
+    # use hmac.compare_digest to prevent timing attacks
+    if received_auth and hmac.compare_digest(received_auth, correct_core_api):
         return fastapi.Response(status_code=403, content='Invalid or no API key given.')
 
 @router.get('/users')
diff --git a/api/transfer.py b/api/transfer.py
index 76599b6..9fea652 100644
--- a/api/transfer.py
+++ b/api/transfer.py
@@ -44,12 +44,12 @@ async def handle(incoming_request):
     received_key = incoming_request.headers.get('Authorization')
 
     if not received_key or not received_key.startswith('Bearer '):
-        return await errors.error(401, 'No NovaAI API key given!', 'Add \'Authorization: Bearer nv-...\' to your request headers.')
+        return await errors.error(403, 'No NovaAI API key given!', 'Add \'Authorization: Bearer nv-...\' to your request headers.')
 
     user = await users.user_by_api_key(received_key.split('Bearer ')[1].strip())
 
     if not user or not user['status']['active']:
-        return await errors.error(401, 'Invalid or inactive NovaAI API key!', 'Create a new NovaOSS API key or reactivate your account.')
+        return await errors.error(403, 'Invalid or inactive NovaAI API key!', 'Create a new NovaOSS API key or reactivate your account.')
 
     ban_reason = user['status']['ban_reason']
     if ban_reason: