Skip to content

Commit

Permalink
📝 Replace email with username in docs_src/security/tutorial007 …
Browse files Browse the repository at this point in the history
…code examples (#10649)
  • Loading branch information
nilslindemann authored Jan 11, 2024
1 parent 0da980c commit 69cb005
Show file tree
Hide file tree
Showing 4 changed files with 6 additions and 6 deletions.
6 changes: 3 additions & 3 deletions docs/en/docs/advanced/security/http-basic-auth.md
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ if "johndoe" == "stanleyjobson" and "love123" == "swordfish":
...
```

But right at the moment Python compares the first `j` in `johndoe` to the first `s` in `stanleyjobson`, it will return `False`, because it already knows that those two strings are not the same, thinking that "there's no need to waste more computation comparing the rest of the letters". And your application will say "incorrect user or password".
But right at the moment Python compares the first `j` in `johndoe` to the first `s` in `stanleyjobson`, it will return `False`, because it already knows that those two strings are not the same, thinking that "there's no need to waste more computation comparing the rest of the letters". And your application will say "Incorrect username or password".

But then the attackers try with username `stanleyjobsox` and password `love123`.

Expand All @@ -116,11 +116,11 @@ if "stanleyjobsox" == "stanleyjobson" and "love123" == "swordfish":
...
```

Python will have to compare the whole `stanleyjobso` in both `stanleyjobsox` and `stanleyjobson` before realizing that both strings are not the same. So it will take some extra microseconds to reply back "incorrect user or password".
Python will have to compare the whole `stanleyjobso` in both `stanleyjobsox` and `stanleyjobson` before realizing that both strings are not the same. So it will take some extra microseconds to reply back "Incorrect username or password".

#### The time to answer helps the attackers

At that point, by noticing that the server took some microseconds longer to send the "incorrect user or password" response, the attackers will know that they got _something_ right, some of the initial letters were right.
At that point, by noticing that the server took some microseconds longer to send the "Incorrect username or password" response, the attackers will know that they got _something_ right, some of the initial letters were right.

And then they can try again knowing that it's probably something more similar to `stanleyjobsox` than to `johndoe`.

Expand Down
2 changes: 1 addition & 1 deletion docs_src/security/tutorial007.py
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ def get_current_username(credentials: HTTPBasicCredentials = Depends(security)):
if not (is_correct_username and is_correct_password):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Incorrect email or password",
detail="Incorrect username or password",
headers={"WWW-Authenticate": "Basic"},
)
return credentials.username
Expand Down
2 changes: 1 addition & 1 deletion docs_src/security/tutorial007_an.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ def get_current_username(
if not (is_correct_username and is_correct_password):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Incorrect email or password",
detail="Incorrect username or password",
headers={"WWW-Authenticate": "Basic"},
)
return credentials.username
Expand Down
2 changes: 1 addition & 1 deletion docs_src/security/tutorial007_an_py39.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ def get_current_username(
if not (is_correct_username and is_correct_password):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Incorrect email or password",
detail="Incorrect username or password",
headers={"WWW-Authenticate": "Basic"},
)
return credentials.username
Expand Down

0 comments on commit 69cb005

Please sign in to comment.