ATH-01-005: use hmac.compare_digest for secret_key authentication
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
parent
6a7c2e0662
commit
267938d435
|
@ -1,6 +1,6 @@
|
|||
"""API Authentication"""
|
||||
from typing import Any, Optional
|
||||
|
||||
from hmac import compare_digest
|
||||
from django.conf import settings
|
||||
from rest_framework.authentication import BaseAuthentication, get_authorization_header
|
||||
from rest_framework.exceptions import AuthenticationFailed
|
||||
|
@ -78,7 +78,7 @@ def token_secret_key(value: str) -> Optional[User]:
|
|||
and return the service account for the managed outpost"""
|
||||
from authentik.outposts.apps import MANAGED_OUTPOST
|
||||
|
||||
if value != settings.SECRET_KEY:
|
||||
if not compare_digest(value, settings.SECRET_KEY):
|
||||
return None
|
||||
outposts = Outpost.objects.filter(managed=MANAGED_OUTPOST)
|
||||
if not outposts:
|
||||
|
|
Reference in a new issue