From ac08e3616c270973b9540f3393afe263eecdcc2f Mon Sep 17 00:00:00 2001
From: David Manouchehri <david.manouchehri@ai.moda>
Date: Fri, 24 Nov 2023 12:12:29 -0500
Subject: [PATCH] Fix timing attack on master_key.

---
 litellm/proxy/proxy_server.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/litellm/proxy/proxy_server.py b/litellm/proxy/proxy_server.py
index 9ea6993ab2..eb21384848 100644
--- a/litellm/proxy/proxy_server.py
+++ b/litellm/proxy/proxy_server.py
@@ -152,10 +152,11 @@ async def user_api_key_auth(request: Request, api_key: str = fastapi.Security(ap
         return 
     try: 
         route = request.url.path
-        if api_key == master_key or api_key == "Bearer " + master_key:
+        is_master_key_valid = secrets.compare_digest(api_key, master_key) or secrets.compare_digest(api_key == "Bearer " + master_key)
+        if is_master_key_valid:
             return
         
-        if (route == "/key/generate" or route == "/key/delete") and not (api_key == master_key or api_key == "Bearer " + master_key):
+        if (route == "/key/generate" or route == "/key/delete") and not is_master_key_valid:
             raise Exception(f"If master key is set, only master key can be used to generate new keys")
 
         if prisma_client: