From b1db3a38d76a1f20f4af64c7c8d9985eb1d1e701 Mon Sep 17 00:00:00 2001
From: ishaan-jaff <ishaanjaffer0324@gmail.com>
Date: Fri, 24 Nov 2023 10:02:08 -0800
Subject: [PATCH] (fix) prisma using: secrets.compare_digest

---
 litellm/proxy/proxy_server.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/litellm/proxy/proxy_server.py b/litellm/proxy/proxy_server.py
index eb21384848..1fa1343de9 100644
--- a/litellm/proxy/proxy_server.py
+++ b/litellm/proxy/proxy_server.py
@@ -152,7 +152,9 @@ async def user_api_key_auth(request: Request, api_key: str = fastapi.Security(ap
         return 
     try: 
         route = request.url.path
-        is_master_key_valid = secrets.compare_digest(api_key, master_key) or secrets.compare_digest(api_key == "Bearer " + master_key)
+
+        # note: never string compare api keys, this is vulenerable to a time attack. Use secrets.compare_digest instead
+        is_master_key_valid = secrets.compare_digest(api_key, master_key) or secrets.compare_digest(api_key, "Bearer " + master_key)
         if is_master_key_valid:
             return
         
@@ -164,9 +166,11 @@ async def user_api_key_auth(request: Request, api_key: str = fastapi.Security(ap
             valid_token = user_api_key_cache.get_cache(key=api_key)
             if valid_token is None: 
                 ## check db 
+                if "Bearer " in api_key:
+                    cleaned_api_key = api_key[len("Bearer "):]
                 valid_token = await prisma_client.litellm_verificationtoken.find_first(
                     where={
-                        "token": api_key,
+                        "token": cleaned_api_key,
                         "expires": {"gte": datetime.utcnow()}  # Check if the token is not expired
                     }
                 )