From 19b2afcb4321415933cd2e2d3dd7e6488f66f6d5 Mon Sep 17 00:00:00 2001
From: dm <>
Date: Thu, 4 Sep 2025 11:42:33 +0300
Subject: [PATCH] added hash system

---
 .env       | 2 +-
 app/api.py | 9 ++++++---
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/.env b/.env
index b1b8cba..62e985b 100644
--- a/.env
+++ b/.env
@@ -1,5 +1,5 @@
 FILES_DIR="./files"
-API_KEY="aboba"
+API_KEY_HASH="a6c79a27049109e472b246b5dfbe08aedff1e9e2259597e54032dbad4958d4ad"
 FILES_PADDING="5"
 DATABASE_NAME="files.db"
 FTP_URL="ftp"
diff --git a/app/api.py b/app/api.py
index 9bfc408..e49d760 100644
--- a/app/api.py
+++ b/app/api.py
@@ -8,11 +8,12 @@ from io import BytesIO
 from . import db
 from dotenv import load_dotenv
 import os
+import hmac
 
 load_dotenv()
 
 FILES_DIR = os.getenv("FILES_DIR")
-API_KEY = os.getenv("API_KEY")
+API_KEY_HASH = os.getenv("API_KEY_HASH")
 api_key_header = APIKeyHeader(name="X-API-Key")
 
 FTP_URL = os.getenv("FTP_URL")
@@ -20,8 +21,10 @@ FTP_LOGIN = os.getenv("FTP_LOGIN")
 FTP_PASSWORD = os.getenv("FTP_PASSWORD")
 
 def verify_api_key(api_key: str = Security(api_key_header)):
-    if api_key != API_KEY:
-        raise HTTPException(status_code=403, detail="Forbidden")
+    api_key_hashed = hashlib.sha256(api_key.encode()).hexdigest()
+    if not hmac.compare_digest(api_key_hashed, API_KEY_HASH):
+        raise HTTPException(status_code=403, detail="Forbidden. (╥﹏╥)")
+    
     return api_key
 
 def compute_hash(data: bytes, algorithm="sha256") -> str: