From 49c333221ab3ff8b8b5ba93ecc455393e5093f9a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Sp=C3=B6ttel?=
 <1682504+fspoettel@users.noreply.github.com>
Date: Sun, 6 Sep 2020 12:54:45 +0200
Subject: [PATCH] Use hmac.compare_digest() to compare mru_token

---
 management/totp.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/management/totp.py b/management/totp.py
index 23853129..634305a6 100644
--- a/management/totp.py
+++ b/management/totp.py
@@ -65,7 +65,7 @@ class TOTPStrategy():
 			raise MissingTokenError("Two factor code missing (no x-auth-token supplied)")
 
 		# TODO: Should a token replay be handled as its own error?
-		if token_header == mfa_state['mru_token'] or validate(mfa_state['secret'], token_header) != True:
+		if hmac.compare_digest(token_header, mfa_state['mru_token']) or validate(mfa_state['secret'], token_header) != True:
 			raise BadTokenError("Two factor code incorrect")
 
 		self.store_successful_login(token_header, env)