use constant-time compare on password

Cycloctane · Cycloctane · commit 0e3e6e1419f1 · 2025-07-17T21:35:56.000+08:00
diff --git a/aiohttp_remotes/basic_auth.py b/aiohttp_remotes/basic_auth.py
@@ -1,5 +1,7 @@
 import base64
 import binascii
+from hashlib import sha256
+from secrets import compare_digest
 from typing import Awaitable, Callable, Iterable
 
 from typing_extensions import NoReturn
@@ -19,7 +21,7 @@ def __init__(
         white_paths: Iterable[str] = (),
     ) -> None:
         self._username = username
-        self._password = password
+        self._password_hash = sha256(password.encode("utf-8")).digest()
         self._realm = realm
         self._white_paths = set(white_paths)
 
@@ -58,7 +60,9 @@ async def middleware(
 
             username, password = credentials
 
-            if username != self._username or password != self._password:
+            if username != self._username or not compare_digest(
+                sha256(password.encode("utf-8")).digest(), self._password_hash
+            ):
                 return await self.raise_error(request)
 
         return await handler(request)
