From fe01dd00fbebbf46f8cab552b89c402124541cab Mon Sep 17 00:00:00 2001 From: Elisei Roca Date: Wed, 22 Sep 2021 00:00:19 +0200 Subject: Replace py-bcrypt with bcrypt. Almost a drop-in replacement, only needed some str - byte conversions. The former has not seen a release since 2013, the latter is active with a last release on Aug. 16th 2020. Signed-off-by: Ben Sturmfels --- mediagoblin/plugins/basic_auth/tools.py | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'mediagoblin/plugins/basic_auth/tools.py') diff --git a/mediagoblin/plugins/basic_auth/tools.py b/mediagoblin/plugins/basic_auth/tools.py index 5b89e51b..fcc00b72 100644 --- a/mediagoblin/plugins/basic_auth/tools.py +++ b/mediagoblin/plugins/basic_auth/tools.py @@ -40,7 +40,7 @@ def bcrypt_check_password(raw_pass, stored_hash, extra_salt=None): if extra_salt: raw_pass = f"{extra_salt}:{raw_pass}" - hashed_pass = bcrypt.hashpw(raw_pass.encode('utf-8'), stored_hash) + hashed_pass = bcrypt.hashpw(raw_pass.encode('utf-8'), stored_hash.encode('utf-8')) # Reduce risk of timing attacks by hashing again with a random # number (thx to zooko on this advice, which I hopefully @@ -66,8 +66,7 @@ def bcrypt_gen_password_hash(raw_pass, extra_salt=None): if extra_salt: raw_pass = f"{extra_salt}:{raw_pass}" - return str( - bcrypt.hashpw(raw_pass.encode('utf-8'), bcrypt.gensalt())) + return bcrypt.hashpw(raw_pass.encode('utf-8'), bcrypt.gensalt()).decode() def fake_login_attempt(): @@ -81,9 +80,9 @@ def fake_login_attempt(): """ rand_salt = bcrypt.gensalt(5) - hashed_pass = bcrypt.hashpw(str(random.random()), rand_salt) + hashed_pass = bcrypt.hashpw(str(random.random()).encode('utf8'), rand_salt) - randplus_stored_hash = bcrypt.hashpw(str(random.random()), rand_salt) + randplus_stored_hash = bcrypt.hashpw(str(random.random()).encode('utf8'), rand_salt) randplus_hashed_pass = bcrypt.hashpw(hashed_pass, rand_salt) randplus_stored_hash == randplus_hashed_pass -- cgit v1.2.3