From 79a205eee27ac37e344fc0b35406bd118a43605f Mon Sep 17 00:00:00 2001 From: "J. Nick Koston" Date: Sun, 8 Feb 2026 06:46:28 -0600 Subject: [PATCH] [dashboard] Use constant-time comparison for username check Use hmac.compare_digest() for the username comparison to match the existing constant-time password comparison. This prevents username enumeration via timing analysis. --- esphome/dashboard/settings.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/esphome/dashboard/settings.py b/esphome/dashboard/settings.py index 6035b4a1d6..5baa03d02d 100644 --- a/esphome/dashboard/settings.py +++ b/esphome/dashboard/settings.py @@ -84,11 +84,12 @@ class DashboardSettings: def check_password(self, username: str, password: str) -> bool: if not self.using_auth: return True - if username != self.username: - return False - - # Compare password in constant running time (to prevent timing attacks) - return hmac.compare_digest(self.password_hash, password_hash(password)) + # Compare both in constant running time (to prevent timing attacks) + username_matches = hmac.compare_digest(username, self.username) + password_matches = hmac.compare_digest( + self.password_hash, password_hash(password) + ) + return username_matches and password_matches def rel_path(self, *args: Any) -> Path: """Return a path relative to the ESPHome config folder."""