execution-payloads-benchmarks/src/expb/api/auth.py at 1657e3d8a8d5163177c40129b585c24d90f90ce7 · NethermindEth/execution-payloads-benchmarks · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
import hashlib
import hmac
from datetime import datetime, timezone

from fastapi import Depends, HTTPException, Security
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
from sqlalchemy.orm import Session

from expb.api.dependencies import get_db
from expb.api.db.models import ApiToken

_bearer_scheme = HTTPBearer(auto_error=True)


def _hash_token(raw_token: str) -> str:
    return hashlib.sha256(raw_token.encode()).hexdigest()


def verify_token(
    credentials: HTTPAuthorizationCredentials = Security(_bearer_scheme),
    db: Session = Depends(get_db),
) -> None:
    """
    FastAPI dependency that validates a Bearer token against the DB.

    On success, updates the token's ``last_used_at`` timestamp.
    Raises HTTP 401 if the token is missing, invalid, or revoked.
    Use as: ``_: None = Depends(verify_token)``
    """
    computed_hash = _hash_token(credentials.credentials)

    # Fetch all tokens and compare with hmac.compare_digest to resist timing attacks.
    tokens = db.query(ApiToken).all()
    for token in tokens:
        if hmac.compare_digest(token.token_hash, computed_hash):
            token.last_used_at = datetime.now(timezone.utc)
            db.commit()
            return

    raise HTTPException(status_code=401, detail="Invalid or revoked token.")