📝 Update docs for handling HTTP Basic Auth with secrets.compare_digest() to account for non-ASCII characters (#3536)

Co-authored-by: le_woudar <kevin.tewouda@gandi.net> Co-authored-by: Sebastián Ramírez <tiangolo@gmail.com>
2026-05-18 21:39:22 -04:00 · 2022-08-24 16:53:43 +02:00
parent f90465f5b4
commit 8c6ad35615
2 changed files with 21 additions and 7 deletions
--- a/docs_src/security/tutorial007.py
+++ b/docs_src/security/tutorial007.py
@@ -9,9 +9,17 @@ security = HTTPBasic()


 def get_current_username(credentials: HTTPBasicCredentials = Depends(security)):
-    correct_username = secrets.compare_digest(credentials.username, "stanleyjobson")
-    correct_password = secrets.compare_digest(credentials.password, "swordfish")
-    if not (correct_username and correct_password):
+    current_username_bytes = credentials.username.encode("utf8")
+    correct_username_bytes = b"stanleyjobson"
+    is_correct_username = secrets.compare_digest(
+        current_username_bytes, correct_username_bytes
+    )
+    current_password_bytes = credentials.password.encode("utf8")
+    correct_password_bytes = b"swordfish"
+    is_correct_password = secrets.compare_digest(
+        current_password_bytes, correct_password_bytes
+    )
+    if not (is_correct_username and is_correct_password):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Incorrect email or password",