diff options
| author | Emma Terzioglu <emreterzioglu49@gmail.com> | 2026-03-14 21:16:07 -0700 |
|---|---|---|
| committer | Emma Terzioglu <emreterzioglu49@gmail.com> | 2026-03-14 21:16:07 -0700 |
| commit | 9e094bebec1e2a7a319bdcac05f745292197a59a (patch) | |
| tree | c49dcb8d3fe46aeb3b653024ad2d602f911e2471 /src/admin.py | |
| parent | 7a33856a527aebbd8d2a624c6d5937c25c9a1d90 (diff) | |
safe password comparison w/ secrets module
Diffstat (limited to 'src/admin.py')
| -rw-r--r-- | src/admin.py | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/admin.py b/src/admin.py index 4dc8b6c..f419dee 100644 --- a/src/admin.py +++ b/src/admin.py @@ -1,5 +1,6 @@ import datetime import hashlib +import secrets import uuid import marko @@ -94,8 +95,7 @@ async def login(): if form: password = hashlib.sha256(form["password"].encode()).hexdigest() - # FIXME: this is insecure due to timing attacks. use a library for this comparison. - if password == q.current_app.config["ADMIN_PASSWORD"]: + if secrets.compare_digest(password, q.current_app.config["ADMIN_PASSWORD"]): async with pool.acquire() as conn: ids = await conn.fetch( "INSERT INTO admin_logins (ipaddr) VALUES ($1) RETURNING id;", |