security: timing-safe HMAC and CORS wildcard fix

[wahh3b-lgtm]

Changes

• JWT timing-safe verification (app/utils/jwt.py): Replaced in membership check with hmac.compare_digest using bitwise OR to ensure both comparisons always execute, preventing timing side-channels
• CORS wildcard fix (app/middlewares/__init__.py): When allow_credentials=True, any wildcard origin (*) in the allowed origins list now disables credentials with a warning
• Python 2 syntax fix (app/utils/jwt.py): Fixed except TypeError, ValueError: to except (TypeError, ValueError):

What was removed (per project owner feedback)

• Rate limiting: Should be handled at infrastructure level (nginx, cloudflare, haproxy)
• TTL on get_secret_key: The JWT secret key is permanent and doesn't need a TTL
• invalidate_secret_key_cache: Unused function removed

Files Changed

• app/utils/jwt.py
• app/middlewares/__init__.py

Verification

• Ruff lint + format pass
• 13/13 tests pass

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7e56fef5-0411-469c-8946-c1df9fd5a132

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}