flask app vulnerable to timing attack on passwords

main.py

import base64
import os
import time
from functools import wraps

from flask import Flask, request, session

app = Flask(__name__)
app.secret_key = base64.b64encode(os.urandom(32))

books = {
    "1": {
        "name": "Book #1",
        "owner": "user_a"
    },
    "2": {
        "name": "Book #2",
        "owner": "user_b"
    },
    "3": {
        "name": "Book #3",
        "owner": "user_a"
    },
    "4": {
        "name": "Book #4",
        "owner": "user_b"
    },
}

users = {
    "user_a": "some_pwd",
    "user_b": "asdzdasz"
}


def check_password(body: dict) -> str:
    username = body['username']
    password = body['password']
    correct_password = users[username]
    for idx, letter in enumerate(password):
        if letter != correct_password[idx]:
            raise Exception('Unauthorized')
        time.sleep(0.2)
    return username


def require_auth(f):
    @wraps(f)
    def decorated(*args, **kwargs):
        user = session.get('user', None)
        if not user:
            return {'message': 'unauthorized'}, 401
        return f(*args, **kwargs)

    return decorated


@app.route("/book/", methods=['GET'])
@require_auth
def get_books():
    user = session['user']
    return {'books': [b for _, b in books.items() if b['owner'] == user]}


@app.route("/book/<book_id>", methods=['GET'])
@require_auth
def get_book(book_id):
    book = books[book_id]
    if not book:
        return {'message': 'book not found'}, 404
    elif book['owner'] != session['user']:
        return {'message': 'Book does not belong to you!'}, 403
    else:
        return book


@app.route("/login", methods=['POST'])
def login():
    body = request.json
    try:
        session['user'] = check_password(body)
        return {'user': session['user']}
    except:
        pass
    return {'message': 'unauthorized'}, 401


if __name__ == '__main__':
    app.run(debug=True, port=8080)