torbjorn/lovdata-chat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: fix timing attack vulnerability and incorrect method call

Browse Source 
- Use secrets.compare_digest() for token comparison instead of == to
  prevent timing-based attacks that could leak token information
- Fix rotate_session_auth_token() to call the correct method
  rotate_session_token() instead of non-existent rotate_session_auth_token()
This commit is contained in:
Torbjørn Lindahl
2026-02-05 00:36:07 +01:00
parent 2cb5263d9e
commit 7dae8faf62
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
session-manager/session_auth.py
View File

@@ -83,8 +83,8 @@ class SessionTokenManager:
session_data = self._session_tokens[session_id]
# Check if token matches
if session_data["token"] != token:
# Check if token matches using constant-time comparison to prevent timing attacks
if not secrets.compare_digest(session_data["token"], token):
return False, "Invalid token"
# Check if token has expired
@@ -212,7 +212,7 @@ def revoke_session_auth_token(session_id: str) -> bool:
def rotate_session_auth_token(session_id: str) -> Optional[str]:
"""Rotate a session authentication token."""
return _session_token_manager.rotate_session_auth_token(session_id)
return _session_token_manager.rotate_session_token(session_id)
def cleanup_expired_auth_tokens() -> int: