Merge pull request #22 from CSCfi/devel

blankdots · web-flow · commit 94e9893f90a1 · 2020-09-29T08:46:16.000+03:00
Devel
diff --git a/swift_sharing_request/__init__.py b/swift_sharing_request/__init__.py
@@ -2,6 +2,6 @@
 
 
 __name__ = "swift_sharing_request"
-__version__ = "0.4.3"
+__version__ = "0.4.4"
 __author__ = "CSC Developers"
 __license__ = "MIT License"
diff --git a/swift_sharing_request/auth.py b/swift_sharing_request/auth.py
@@ -13,6 +13,7 @@
 import hmac
 import time
 import logging
+import secrets
 
 import aiohttp.web
 from asyncpg import InterfaceError
@@ -64,7 +65,7 @@ async def test_signature(
             byte_message,
             digestmod="sha256"
         ).hexdigest()
-        if digest == signature:
+        if secrets.compare_digest(digest, signature):
             return
     raise aiohttp.web.HTTPUnauthorized(
         reason="Missing valid query signature"
@@ -107,8 +108,8 @@ async def handle_validate_authentication(
             except InterfaceError:
                 handle_dropped_connection(request)
         else:
-            LOGGER.debug(f"No project ID found in request {request}")
             if request.path != "/health":
+                LOGGER.debug(f"No project ID found in request {request}")
                 raise aiohttp.web.HTTPUnauthorized(
                     reason="No project ID in request"
                 )
