wiki2 authentication bug fix and improvement against timing attack

- Bytes type does not have encode method. The expected_hash retrieved from the database is a bytes object.
- Use hmac.compare_digest instead of == to avoid timing attacks as a recommended security best practice. See https://www.python.org/dev/peps/pep-0466/ https://bugs.python.org/issue21306 and https://codahale.com/a-lesson-in-timing-attacks/ for details.

  Note, however, this was not backported to py2.6. For a tutorial, I am OK with stating this will not work on Python 2.6 with a clear warning note at the start of the tutorial and on the authentication step.

0 files changed, 0 insertions, 0 deletions