From 4042e74ff480d928d43e3eaa584723f377f81f02 Mon Sep 17 00:00:00 2001
From: Strohy <anujkumarsharma1808@gmail.com>
Date: Tue, 30 Apr 2024 19:08:34 +0530
Subject: [PATCH 1/2] feat: constant time comparison in authentication

---
 pyspider/webui/login.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pyspider/webui/login.py b/pyspider/webui/login.py
index d32d5b73a..238b79f18 100644
--- a/pyspider/webui/login.py
+++ b/pyspider/webui/login.py
@@ -41,8 +41,8 @@ def __init__(self, id, password):
     def is_authenticated(self):
         if not app.config.get('webui_username'):
             return True
-        if self.id == app.config.get('webui_username') \
-                and self.password == app.config.get('webui_password'):
+        if hmac.compare_digest(self.id.encode('utf-8'), app.config.get('webui_username').encode('utf-8')) \
+                and hmac.compare_digest(self.password.encode('utf-8'), app.config.get('webui_password').encode('utf-8')):
             return True
         return False
 

From e0c62e988d9d6db3845bc7d7921f45a869fc38cd Mon Sep 17 00:00:00 2001
From: Strohy <anujkumarsharma1808@gmail.com>
Date: Wed, 1 May 2024 00:55:47 +0530
Subject: [PATCH 2/2] chore: update import

---
 pyspider/webui/login.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pyspider/webui/login.py b/pyspider/webui/login.py
index 238b79f18..a4c966c26 100644
--- a/pyspider/webui/login.py
+++ b/pyspider/webui/login.py
@@ -6,6 +6,7 @@
 # Created on 2014-12-10 20:36:27
 
 import base64
+import hmac
 from flask import Response
 try:
     import flask_login as login