-
-
Notifications
You must be signed in to change notification settings - Fork 6.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use constant time comparison in HTTP Basic Auth example #807
Conversation
Using this security best-practice in the example will encourage users to do the same in their code.
Codecov Report
@@ Coverage Diff @@
## master #807 +/- ##
======================================
Coverage 100% 100%
======================================
Files 286 289 +3
Lines 7466 7595 +129
======================================
+ Hits 7466 7595 +129
Continue to review full report at Codecov.
|
Thanks! Good idea 🔒 I'll review it thoroughly soon, as I would like to make it easy to understand for newbies as well, explaining what an HMAC is to developers, what "constant time" means, what a "time attack" means, why it matters, etc. |
Thanks for your contribution @zwass ! I updated it a bit and merged it. 🎉 🔒 🍰 |
Great explanation. Thank you! |
if credentials.username != "foo" or credentials.password != "password": | ||
correct_username = secrets.compare_digest(credentials.username, "stanleyjobson") | ||
correct_password = secrets.compare_digest(credentials.password, "swordfish") | ||
if not correct_username and correct_password: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs parentheses around it, or change the comparison to or not
:
if not correct_username and correct_password: | |
if not (correct_username and correct_password): |
Otherwise, if the username is bad but the password is good, the check will pass, as well as if the username is good, the check will pass regardless of the password.
Example:
https://repl.it/repls/WigglyLowestBackups
EDIT: Whoops, looks like this was fixed in #865. 👍 Truth tables are hard. :-)
@tiangolo Why do you use |
Using this security best-practice in the example will encourage users to do the same in their code.