cal/paper-dynasty-database
1
0
Fork 0
Code Issues 7 Pull Requests 4 Actions Packages Projects Releases Wiki Activity

Use constant-time comparison for bearer token validation #8

New Issue
Closed
opened 2026-02-20 06:51:49 +00:00 by cal · 1 comment
cal commented 2026-02-20 06:51:49 +00:00
Owner
Copy Link

`app/dependencies.py:38` — `return token == AUTH_TOKEN`. Python string `==` short-circuits on first mismatch. Use `hmac.compare_digest()` instead.

Priority: low

\`app/dependencies.py:38\` — \`return token == AUTH_TOKEN\`. Python string \`==\` short-circuits on first mismatch. Use \`hmac.compare_digest()\` instead. **Priority**: low
cal added the
security
 label 2026-02-20 06:51:49 +00:00
cal added the
ai-working
 label 2026-03-04 05:30:59 +00:00
cal removed the
ai-working
 label 2026-03-04 05:31:44 +00:00
cal commented 2026-03-04 05:31:47 +00:00
Author
Owner
Copy Link

Fixed in PR #56: #56

Added import hmac and replaced token == AUTH_TOKEN with hmac.compare_digest(token, AUTH_TOKEN) in app/dependencies.py to prevent timing side-channel attacks on bearer token validation.

Fixed in PR #56: https://git.manticorum.com/cal/paper-dynasty-database/pulls/56 Added `import hmac` and replaced `token == AUTH_TOKEN` with `hmac.compare_digest(token, AUTH_TOKEN)` in `app/dependencies.py` to prevent timing side-channel attacks on bearer token validation.
cal added the
ai-pr-opened
 label 2026-03-04 05:31:49 +00:00
cal closed this issue 2026-03-05 03:44:14 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
ai-changes-requested

   
ai-failed

   
ai-merged

PR merged by AI ops agent

  
ai-pr-opened

   
ai-reviewed

   
ai-reviewing

   
ai-reviewing

   
ai-working

   
bug

   
enhancement

   
evolution

Card Evolution system

  
performance

   
phase-0

Render Pipeline Optimization

  
phase-1a

Schema & Data Foundation

  
phase-1b

API & Formula Engine

  
phase-1c

Bot Integration

  
phase-1d

Deployment

  
security

   
tech-debt

   
todo
No Label
ai-changes-requested
ai-failed
ai-merged
ai-pr-opened
ai-reviewed
ai-reviewing
ai-reviewing
ai-working
bug
enhancement
evolution
performance
phase-0
phase-1a
phase-1b
phase-1c
phase-1d
security
tech-debt
todo
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: cal/paper-dynasty-database#8
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?