From 7dae8faf62fcc99fdf428c4945876f11b732b0bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torbj=C3=B8rn=20Lindahl?= Date: Thu, 5 Feb 2026 00:36:07 +0100 Subject: [PATCH] security: fix timing attack vulnerability and incorrect method call - Use secrets.compare_digest() for token comparison instead of == to prevent timing-based attacks that could leak token information - Fix rotate_session_auth_token() to call the correct method rotate_session_token() instead of non-existent rotate_session_auth_token() --- session-manager/session_auth.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/session-manager/session_auth.py b/session-manager/session_auth.py index 83f2af3..c81491c 100644 --- a/session-manager/session_auth.py +++ b/session-manager/session_auth.py @@ -83,8 +83,8 @@ class SessionTokenManager: session_data = self._session_tokens[session_id] - # Check if token matches - if session_data["token"] != token: + # Check if token matches using constant-time comparison to prevent timing attacks + if not secrets.compare_digest(session_data["token"], token): return False, "Invalid token" # Check if token has expired @@ -212,7 +212,7 @@ def revoke_session_auth_token(session_id: str) -> bool: def rotate_session_auth_token(session_id: str) -> Optional[str]: """Rotate a session authentication token.""" - return _session_token_manager.rotate_session_auth_token(session_id) + return _session_token_manager.rotate_session_token(session_id) def cleanup_expired_auth_tokens() -> int: