fix: use constant-time comparison for bearer token validation (#8) #56

cal · 2026-03-04T05:31:37Z

cal commented

2026-03-04 05:31:37 +00:00

Summary

Replaces Python's == string comparison in valid_token() with hmac.compare_digest() to prevent timing-based side-channel attacks on bearer token validation.

Changes

app/dependencies.py: Added import hmac and changed return token == AUTH_TOKEN → return hmac.compare_digest(token, AUTH_TOKEN)

Why

Python's == operator short-circuits on the first mismatched character, leaking timing information that an attacker could use to brute-force the token one character at a time. hmac.compare_digest() takes constant time regardless of where a mismatch occurs.

Tests

No test suite — changes verified by reading the modified file.

Closes #8

## Summary Replaces Python's `==` string comparison in `valid_token()` with `hmac.compare_digest()` to prevent timing-based side-channel attacks on bearer token validation. ## Changes - `app/dependencies.py`: Added `import hmac` and changed `return token == AUTH_TOKEN` → `return hmac.compare_digest(token, AUTH_TOKEN)` ## Why Python's `==` operator short-circuits on the first mismatched character, leaking timing information that an attacker could use to brute-force the token one character at a time. `hmac.compare_digest()` takes constant time regardless of where a mismatch occurs. ## Tests No test suite — changes verified by reading the modified file. Closes #8

cal added 1 commit 2026-03-04 05:31:38 +00:00

fix: use constant-time comparison for bearer token validation (#8 ) fb9c2d4e85

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

cal referenced this pull request

2026-03-04 05:31:47 +00:00

Use constant-time comparison for bearer token validation #8

cal added the

ai-reviewing

label 2026-03-04 05:47:04 +00:00

cal reviewed 2026-03-04 05:47:57 +00:00

cal left a comment

AI Code Review

Files Reviewed

app/dependencies.py (modified)

Findings

Correctness

The implementation matches the PR description exactly: import hmac added (alphabetically ordered between datetime and logging) and return token == AUTH_TOKEN replaced with return hmac.compare_digest(token, AUTH_TOKEN).
hmac.compare_digest() accepts str arguments (since Python 3.3). Both token (from OAuth2 bearer) and AUTH_TOKEN (f-string from env var) are strings — no TypeError risk.
The fix is applied to the only call site — valid_token() on line 41.

Security

The fix correctly addresses the timing side-channel: Python's == short-circuits on the first mismatched byte, leaking information about how many leading characters match. hmac.compare_digest() takes constant time regardless of mismatch position.
Note: AUTH_TOKEN = f'{os.environ.get("API_TOKEN")}' will produce the string "None" if the env var is unset rather than raising an error or failing loudly. Pre-existing issue, out of scope for this PR.

Style & Conventions

No issues. Import is correctly placed alphabetically. Change is minimal and focused.

Suggestions

None.

Verdict: APPROVED

Correct, minimal security fix. hmac.compare_digest() is the standard library solution for this exact problem and is used appropriately here. No issues found.

Automated review by Claude PR Reviewer

## AI Code Review ### Files Reviewed - `app/dependencies.py` (modified) ### Findings #### Correctness - The implementation matches the PR description exactly: `import hmac` added (alphabetically ordered between `datetime` and `logging`) and `return token == AUTH_TOKEN` replaced with `return hmac.compare_digest(token, AUTH_TOKEN)`. - `hmac.compare_digest()` accepts `str` arguments (since Python 3.3). Both `token` (from OAuth2 bearer) and `AUTH_TOKEN` (f-string from env var) are strings — no `TypeError` risk. - The fix is applied to the only call site — `valid_token()` on line 41. #### Security - The fix correctly addresses the timing side-channel: Python's `==` short-circuits on the first mismatched byte, leaking information about how many leading characters match. `hmac.compare_digest()` takes constant time regardless of mismatch position. - Note: `AUTH_TOKEN = f'{os.environ.get("API_TOKEN")}'` will produce the string `"None"` if the env var is unset rather than raising an error or failing loudly. Pre-existing issue, out of scope for this PR. #### Style & Conventions - No issues. Import is correctly placed alphabetically. Change is minimal and focused. #### Suggestions - None. ### Verdict: APPROVED Correct, minimal security fix. `hmac.compare_digest()` is the standard library solution for this exact problem and is used appropriately here. No issues found. --- *Automated review by Claude PR Reviewer*

cal added

ai-reviewed

and removed

ai-reviewing

labels 2026-03-04 05:48:16 +00:00

cal force-pushed ai/paper-dynasty-database#8 from fb9c2d4e85 to 19ac5ffd0a

2026-03-05 03:44:03 +00:00

Compare

cal merged commit 9711f63da5 into next-release

2026-03-05 03:44:14 +00:00

cal deleted branch ai/paper-dynasty-database#8

2026-03-05 03:44:14 +00:00

cal referenced this issue from a commit

2026-03-05 03:44:15 +00:00

Merge pull request 'fix: use constant-time comparison for bearer token validation (#8)' (#56) from ai/paper-dynasty-database#8 into next-release

Sign in to join this conversation.

No reviewers

No Milestone

No project

No Assignees

1 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: cal/paper-dynasty-database#56