fix(auth): use timing-safe token comparison for credential validation

[TanCodeX]

Description

This pull request fixes a security vulnerability related to timing-based side-channel attacks during authentication token validation.

Changes Made

• Updated Server/main.py (get_api_user) to replace direct string equality checks (==) with hmac.compare_digest() when validating:

  • ADMIN_TOKEN
  • INVESTIGATOR_TOKEN

• Updated Server/security.py (validate_analyze_api_key) to use hmac.compare_digest() when validating DEFAULT_ANALYZE_API_KEY.

• Added the required hmac imports in both files.

Motivation

Direct string comparison using == can introduce observable timing discrepancies because comparison may stop at the first mismatched character. An attacker could potentially leverage these timing differences to perform credential enumeration and gradually recover valid authentication tokens.

Using hmac.compare_digest() provides timing-safe comparisons, helping mitigate timing side-channel attacks (CWE-208: Observable Timing Discrepancy) and improving the security of token and API key validation.

Fixes #316

Type of Change

• 🐛 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
• 📝 Documentation Update (modifications to guides, readmes, or inline comments)
• 🧪 Test addition or validation workflow enhancement
• 🎨 Style / Formatting improvements (non-functional code cleanups)

Scope and Impact

This change is limited to authentication and API key validation logic:

• Server/main.py

  • get_api_user()

• Server/security.py

  • validate_analyze_api_key()

No API behavior, request formats, response formats, or authentication workflows were modified. The change only affects the internal comparison mechanism used during credential validation.

Validation & Testing

Verification Performed

• Confirmed application starts successfully after importing hmac.
• Verified valid ADMIN_TOKEN authentication continues to work as expected.
• Verified valid INVESTIGATOR_TOKEN authentication continues to work as expected.
• Verified valid analyze API key authentication continues to work as expected.
• Verified invalid tokens and API keys continue to return the expected authorization errors.
• Reviewed implementation to ensure all sensitive credential comparisons use hmac.compare_digest().

Checklist

• Code compiles successfully locally (python -m py_compile)
• Tested responsiveness on multiple viewports (Not applicable – backend-only change)
• Follows the styling and naming conventions of the repository
• Accessibility standards (aria-labels, keyboard navigation) have been considered (Not applicable – backend-only change)
• No secrets or sensitive configuration values are exposed

Screenshots / Visual Demonstrations

Not applicable. This is a backend security enhancement with no UI changes.

Related Issues

Closes #316

Proposed Architecture Changes

Files Modified

• Server/main.py

  • Added hmac import.
  • Replaced token validation using == with hmac.compare_digest().

• Server/security.py

  • Added hmac import.
  • Replaced API key validation using == with hmac.compare_digest().

Architectural Impact

• No architectural changes.
• No database changes.
• No API contract changes.
• Security posture improved by mitigating timing-based credential enumeration attacks.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• CI/CD or DevOps improvement
• Documentation update

Testing Checklist

Local Verification

• Tested locally under development environment
• Verified build is successful with zero errors/warnings
• Automated tests run successfully and pass

Responsiveness & Design Verification (For Frontend Changes)

• Mobile view tested & verified (Not applicable)
• Desktop view tested & verified (Not applicable)
• Dark / Light mode toggle tested and looks clean (Not applicable)

Security Considerations

• No hardcoded secrets, API keys, or credentials
• Input data sanitized
• Safe environment configuration handles sensitive keys

Visual Impact (Screenshots / GIFs / Videos)

Not applicable. No UI/UX changes were introduced.

[vercel]

@TanCodeX is attempting to deploy a commit to the akshay473's projects Team on Vercel.

A member of the Team first needs to authorize it.

[TanCodeX]

@Akshay473 please review and merge under gssoc'26.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
forensic-pro-suite	Ready	Preview, Comment	Jun 9, 2026 1:10am
forensic-pro-suite-7777	Ready	Preview, Comment	Jun 9, 2026 1:10am

[TanCodeX]

@Akshay473 Hi! Could you please update the label from gssoc: approved to gssoc:approved? Because of the space after gssoc:, the GSSoC system is unable to detect that this issue is under GSSoC. Thank you!