Merge pull request #2120 from aftermath2/constant_time_password_comparison

Constant time password comparison
2025-09-13 00:56:22 +00:00 · 2025-07-28 09:53:58 +00:00
parent e8f6e0afaf 4a396a8990
commit 1bf5df500f
2 changed files with 9 additions and 7 deletions
--- a/api/views.py
+++ b/api/views.py
@ -1,4 +1,5 @@
 from datetime import datetime, timedelta
+from hmac import compare_digest

 from decouple import config
 from django.conf import settings
@ -558,11 +559,12 @@ class OrderView(viewsets.ViewSet):
                if not valid:
                    return Response(context, status=status.HTTP_409_CONFLICT)

-                if order.password is not None and order.password != password:
-                    return Response(
-                        {"bad_request": "Wrong password"},
-                        status=status.HTTP_403_FORBIDDEN,
-                    )
+                if order.password is not None:
+                    if password is None or not compare_digest(order.password, password):
+                        return Response(
+                            {"bad_request": "Wrong password"},
+                            status=status.HTTP_403_FORBIDDEN,
+                        )

                # For order with amount range, set the amount now.
                if order.has_range:
--- a/tests/README.md
+++ b/tests/README.md
@ -2,6 +2,6 @@

 ```
 docker compose -f docker-tests.yml --env-file tests/compose.env up -d
-docker exec coordinator coverage run manage.py test
-docker exec coordinator coverage report
+docker exec test-coordinator coverage run manage.py test
+docker exec test-coordinator coverage report
 ```