From bf7c7ecf051860751e8e9a1d290f16d10e8eb43b Mon Sep 17 00:00:00 2001
From: memosr <memosr_email@gmail.com>
Date: Mon, 13 Apr 2026 23:45:38 +0300
Subject: [PATCH] fix(security): use hmac.compare_digest for BlueBubbles
 webhook token to prevent timing attacks

---
 gateway/platforms/bluebubbles.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/gateway/platforms/bluebubbles.py b/gateway/platforms/bluebubbles.py
index 115000996..feca0577e 100644
--- a/gateway/platforms/bluebubbles.py
+++ b/gateway/platforms/bluebubbles.py
@@ -9,6 +9,7 @@ downloading from PR #4588 (YuhangLin).
 """
 
 import asyncio
+import hmac
 import json
 import logging
 import os
@@ -770,7 +771,7 @@ class BlueBubblesAdapter(BasePlatformAdapter):
             or request.headers.get("x-guid")
             or request.headers.get("x-bluebubbles-guid")
         )
-        if token != self.password:
+        if not hmac.compare_digest(token or "", self.password or ""):
             return web.json_response({"error": "unauthorized"}, status=401)
         try:
             raw = await request.read()