BBFbyOpus

2026-04-01 22:51:24 +07:00
parent 732313a61c
commit b6b25fa2a1
11 changed files with 160 additions and 72 deletions
--- a/app/api/deps.py
+++ b/app/api/deps.py
@@ -1,4 +1,5 @@
 import os
+import hmac
 import logging
 from dataclasses import dataclass
 from typing import Optional
@@ -49,8 +50,8 @@ async def verify_token(header_value: str = Depends(api_key_header)) -> AuthConte
            status_code=HTTP_403_FORBIDDEN, detail="API-ключ не передан"
        )

-    # Мастер-ключ
-    if header_value == MASTER_KEY:
+    # Мастер-ключ (timing-safe сравнение)
+    if hmac.compare_digest(header_value, MASTER_KEY):
        return AuthContext(is_master=True, is_admin=True, key_name="master")

    # Ищем в БД