changing password check to defend against possible timing attack

enowars · Jul 11, 2024 · 259b16e · 259b16e
1 parent e39ac94
commit 259b16e
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/service/src/auth.py b/service/src/auth.py
@@ -12,6 +12,7 @@
 from Crypto.PublicKey import RSA
 import datetime
 from cryptography.hazmat.backends import default_backend
+import hmac
 
 
 auth = Blueprint('auth', __name__)
@@ -46,7 +47,7 @@ async def login():
         password = request.form.get('password')
         user = User.query.filter_by(email=email).first()
         if user:
-            if(user.password == password):
+            if(hmac.compare_digest(user.password.encode('utf-8'), password.encode('utf-8'))):
                 flash('Logged in successfully!', category='success')
                 login_user(user, remember=True)
                 return redirect(url_for('views.home'))

diff --git a/service/src/views.py b/service/src/views.py
@@ -19,6 +19,7 @@
 from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.primitives import serialization
 from authlib.jose import jwt
+import hmac
 
 
 views = Blueprint('views', __name__)
@@ -103,7 +104,7 @@ def creategroup(group_name, group_key):
 def join_group(group_id, key):
     group = db.session.query(MessageGroup).filter_by(id=group_id).first()
     if group:
-        if key == group.group_key:
+        if hmac.compare_digest(key.encode('utf-8'),group.group_key.encode('utf-8')):
             id = group.id
             UserId = current_user.id
             if db.session.query(user_group_association).filter_by(user_id=UserId, group_id=id).first():