From d69d84e48cdc0fa921707e587f0356a4fbbc8d90 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens@goauthentik.io>
Date: Wed, 7 Jun 2023 12:32:00 +0200
Subject: [PATCH] ATH-01-005: use hmac.compare_digest for secret_key
 authentication

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 authentik/api/authentication.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/authentik/api/authentication.py b/authentik/api/authentication.py
index 1e4870828..32e5949d7 100644
--- a/authentik/api/authentication.py
+++ b/authentik/api/authentication.py
@@ -1,6 +1,6 @@
 """API Authentication"""
 from typing import Any, Optional
-
+from hmac import compare_digest
 from django.conf import settings
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
 from rest_framework.exceptions import AuthenticationFailed
@@ -78,7 +78,7 @@ def token_secret_key(value: str) -> Optional[User]:
     and return the service account for the managed outpost"""
     from authentik.outposts.apps import MANAGED_OUTPOST
 
-    if value != settings.SECRET_KEY:
+    if not compare_digest(value, settings.SECRET_KEY):
         return None
     outposts = Outpost.objects.filter(managed=MANAGED_OUTPOST)
     if not outposts: