More secury (thanks �)

This commit is contained in:
nsde 2023-08-21 21:09:22 +02:00
parent eb6ebd2112
commit 998139d4d8
2 changed files with 7 additions and 3 deletions

View file

@ -10,6 +10,7 @@ sys.path.append(project_root)
import os import os
import json import json
import hmac
import fastapi import fastapi
from dhooks import Webhook, Embed from dhooks import Webhook, Embed
@ -31,7 +32,10 @@ async def check_core_auth(request):
""" """
received_auth = request.headers.get('Authorization') received_auth = request.headers.get('Authorization')
if received_auth != os.environ['CORE_API_KEY']: correct_core_api = os.environ['CORE_API_KEY']
# use hmac.compare_digest to prevent timing attacks
if received_auth and hmac.compare_digest(received_auth, correct_core_api):
return fastapi.Response(status_code=403, content='Invalid or no API key given.') return fastapi.Response(status_code=403, content='Invalid or no API key given.')
@router.get('/users') @router.get('/users')

View file

@ -44,12 +44,12 @@ async def handle(incoming_request):
received_key = incoming_request.headers.get('Authorization') received_key = incoming_request.headers.get('Authorization')
if not received_key or not received_key.startswith('Bearer '): if not received_key or not received_key.startswith('Bearer '):
return await errors.error(401, 'No NovaAI API key given!', 'Add \'Authorization: Bearer nv-...\' to your request headers.') return await errors.error(403, 'No NovaAI API key given!', 'Add \'Authorization: Bearer nv-...\' to your request headers.')
user = await users.user_by_api_key(received_key.split('Bearer ')[1].strip()) user = await users.user_by_api_key(received_key.split('Bearer ')[1].strip())
if not user or not user['status']['active']: if not user or not user['status']['active']:
return await errors.error(401, 'Invalid or inactive NovaAI API key!', 'Create a new NovaOSS API key or reactivate your account.') return await errors.error(403, 'Invalid or inactive NovaAI API key!', 'Create a new NovaOSS API key or reactivate your account.')
ban_reason = user['status']['ban_reason'] ban_reason = user['status']['ban_reason']
if ban_reason: if ban_reason: