From fb9c2d4e859582ee4e4cf9eaa15d7014b54c243a Mon Sep 17 00:00:00 2001
From: Cal Corum <calcorum@users.noreply.github.com>
Date: Tue, 3 Mar 2026 23:31:26 -0600
Subject: [PATCH] fix: use constant-time comparison for bearer token validation
 (#8)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 app/dependencies.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/dependencies.py b/app/dependencies.py
index 7120c59..774201f 100644
--- a/app/dependencies.py
+++ b/app/dependencies.py
@@ -1,4 +1,5 @@
 import datetime
+import hmac
 import logging
 import os
 
@@ -39,7 +40,7 @@ if os.environ.get("TESTING") == "True":
 
 
 def valid_token(token):
-    return token == AUTH_TOKEN
+    return hmac.compare_digest(token, AUTH_TOKEN)
 
 
 def int_timestamp(datetime_obj: datetime) -> int: