fix: use constant-time comparison for tokens and consolidate admin auth #5

Merged

patillacode merged 4 commits from fix/constant-time-auth into main

2026-05-30 09:24:55 +02:00

patillacode commented

2026-05-30 08:59:21 +02:00

Owner

Replace == / != with secrets.compare_digest for admin token checks and token_map lookups.
Remove duplicated verify_admin from admin router in favour of the shared require_admin dependency in auth.py.

Replace `==` / `!=` with `secrets.compare_digest` for admin token checks and `token_map` lookups. Remove duplicated `verify_admin` from admin router in favour of the shared `require_admin` dependency in `auth.py`.

patillacode added 1 commit

2026-05-30 08:59:21 +02:00

fix: use constant-time comparison for tokens and consolidate admin auth

CI / test (pull_request) Successful in 24s

Details

8655a3b48b

Replace == / != with secrets.compare_digest for admin token checks and
token_map lookups. Remove duplicated verify_admin from admin router in
favour of the shared require_admin dependency in auth.py.

patillacode added 2 commits

2026-05-30 09:19:19 +02:00

Merge branch 'main' into fix/constant-time-auth b4b7670bda

fix: always return 403 from require_admin regardless of token validity

CI / test (pull_request) Failing after 19s

Details

5f10148dab

Catch the 401 that get_current_user raises for unknown tokens and
re-raise as 403, so admin routes don't reveal whether a token is
recognised. Add tests covering all three cases: admin pass, unknown
token, and valid non-admin token.

patillacode added 1 commit

2026-05-30 09:22:55 +02:00

fix: add 'from None' to suppress exception chaining in require_admin

CI / test (pull_request) Successful in 21s

Details

b5ca3b8a24