Use constant time comparison in HTTP Basic Auth example#807
Conversation
Using this security best-practice in the example will encourage users to do the same in their code.
Codecov Report
@@ Coverage Diff @@
## master #807 +/- ##
======================================
Coverage 100% 100%
======================================
Files 286 289 +3
Lines 7466 7595 +129
======================================
+ Hits 7466 7595 +129
Continue to review full report at Codecov.
|
|
Thanks! Good idea 🔒 I'll review it thoroughly soon, as I would like to make it easy to understand for newbies as well, explaining what an HMAC is to developers, what "constant time" means, what a "time attack" means, why it matters, etc. |
|
Thanks for your contribution @zwass ! I updated it a bit and merged it. 🎉 🔒 🍰 |
|
Great explanation. Thank you! |
| if credentials.username != "foo" or credentials.password != "password": | ||
| correct_username = secrets.compare_digest(credentials.username, "stanleyjobson") | ||
| correct_password = secrets.compare_digest(credentials.password, "swordfish") | ||
| if not correct_username and correct_password: |
There was a problem hiding this comment.
This needs parentheses around it, or change the comparison to or not:
| if not correct_username and correct_password: | |
| if not (correct_username and correct_password): |
Otherwise, if the username is bad but the password is good, the check will pass, as well as if the username is good, the check will pass regardless of the password.
Example:
https://repl.it/repls/WigglyLowestBackups
EDIT: Whoops, looks like this was fixed in #865. 👍 Truth tables are hard. :-)
|
@tiangolo Why do you use |
Using this security best-practice in the example will encourage users to do the same in their code.