~mediagoblin/mediagoblin

fe01dd00fbebbf46f8cab552b89c402124541cab — Elisei Roca 28 days ago 692261d
Replace py-bcrypt with bcrypt.

Almost a drop-in replacement, only needed some str - byte conversions.

The former has not seen a release since 2013, the latter is active with
a last release on Aug. 16th 2020.

Signed-off-by: Ben Sturmfels <ben@sturm.com.au>
M docs/source/siteadmin/relnotes.rst => docs/source/siteadmin/relnotes.rst +1 -0
@@ 34,6 34,7 @@ This chapter has important information about our current and previous releases.
- Set videos to preload="metadata" to prevent upfront download [trac#5625] (Michael McMahon)
- Add a "Troubleshooting" page to the documentation (Ben Sturmfels)
- Add Ubuntu 20.04 CI build and reinstate Debian 10 CI build (Ben Sturmfels)
- Switch from `py-bcrypt` to `bcrypt` (Elisei Roca)


0.12.0

M guix-env.scm => guix-env.scm +1 -1
@@ 207,7 207,7 @@
       ("python-openid" ,python-openid) ; For OpenID plugin
       ("python-pastescript" ,python-pastescript)
       ("python-pillow" ,python-pillow)
       ("python-py-bcrypt" ,python-py-bcrypt)
       ("python-bcrypt" ,python-bcrypt)
       ("python-pyld" ,python-pyld)
       ("python-pytz" ,python-pytz)
       ("python-requests" ,python-requests) ; For batchaddmedia

M mediagoblin/plugins/basic_auth/tools.py => mediagoblin/plugins/basic_auth/tools.py +4 -5
@@ 40,7 40,7 @@ def bcrypt_check_password(raw_pass, stored_hash, extra_salt=None):
    if extra_salt:
        raw_pass = f"{extra_salt}:{raw_pass}"

    hashed_pass = bcrypt.hashpw(raw_pass.encode('utf-8'), stored_hash)
    hashed_pass = bcrypt.hashpw(raw_pass.encode('utf-8'), stored_hash.encode('utf-8'))

    # Reduce risk of timing attacks by hashing again with a random
    # number (thx to zooko on this advice, which I hopefully


@@ 66,8 66,7 @@ def bcrypt_gen_password_hash(raw_pass, extra_salt=None):
    if extra_salt:
        raw_pass = f"{extra_salt}:{raw_pass}"

    return str(
        bcrypt.hashpw(raw_pass.encode('utf-8'), bcrypt.gensalt()))
    return bcrypt.hashpw(raw_pass.encode('utf-8'), bcrypt.gensalt()).decode()


def fake_login_attempt():


@@ 81,9 80,9 @@ def fake_login_attempt():
    """
    rand_salt = bcrypt.gensalt(5)

    hashed_pass = bcrypt.hashpw(str(random.random()), rand_salt)
    hashed_pass = bcrypt.hashpw(str(random.random()).encode('utf8'), rand_salt)

    randplus_stored_hash = bcrypt.hashpw(str(random.random()), rand_salt)
    randplus_stored_hash = bcrypt.hashpw(str(random.random()).encode('utf8'), rand_salt)
    randplus_hashed_pass = bcrypt.hashpw(hashed_pass, rand_salt)

    randplus_stored_hash == randplus_hashed_pass

M setup.cfg => setup.cfg +1 -1
@@ 56,7 56,7 @@ install_requires =
    Markdown
    oauthlib
    PasteScript
    py-bcrypt
    bcrypt
    PyLD<2.0.0  # Breaks a Python 3 test if >= 2.0.0.
    python-dateutil
    pytz