More secury (thanks �)

api/core.py

@@ -10,6 +10,7 @@ sys.path.append(project_root)
 
 import os
 import json
+import hmac
 import fastapi
 
 from dhooks import Webhook, Embed
@@ -31,7 +32,10 @@ async def check_core_auth(request):
     """
     received_auth = request.headers.get('Authorization')
 
-    if received_auth != os.environ['CORE_API_KEY']:
+    correct_core_api = os.environ['CORE_API_KEY']
+
+    # use hmac.compare_digest to prevent timing attacks
+    if received_auth and hmac.compare_digest(received_auth, correct_core_api):
         return fastapi.Response(status_code=403, content='Invalid or no API key given.')
 
 @router.get('/users')

api/transfer.py

@@ -44,12 +44,12 @@ async def handle(incoming_request):
     received_key = incoming_request.headers.get('Authorization')
 
     if not received_key or not received_key.startswith('Bearer '):
-        return await errors.error(401, 'No NovaAI API key given!', 'Add \'Authorization: Bearer nv-...\' to your request headers.')
+        return await errors.error(403, 'No NovaAI API key given!', 'Add \'Authorization: Bearer nv-...\' to your request headers.')
 
     user = await users.user_by_api_key(received_key.split('Bearer ')[1].strip())
 
     if not user or not user['status']['active']:
-        return await errors.error(401, 'Invalid or inactive NovaAI API key!', 'Create a new NovaOSS API key or reactivate your account.')
+        return await errors.error(403, 'Invalid or inactive NovaAI API key!', 'Create a new NovaOSS API key or reactivate your account.')
 
     ban_reason = user['status']['ban_reason']
     if ban_reason: