From fe01dd00fbebbf46f8cab552b89c402124541cab Mon Sep 17 00:00:00 2001 From: Elisei Roca Date: Wed, 22 Sep 2021 00:00:19 +0200 Subject: [PATCH] Replace py-bcrypt with bcrypt. Almost a drop-in replacement, only needed some str - byte conversions. The former has not seen a release since 2013, the latter is active with a last release on Aug. 16th 2020. Signed-off-by: Ben Sturmfels --- docs/source/siteadmin/relnotes.rst | 1 + guix-env.scm | 2 +- mediagoblin/plugins/basic_auth/tools.py | 9 ++++----- setup.cfg | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/source/siteadmin/relnotes.rst b/docs/source/siteadmin/relnotes.rst index 09513740..62603392 100644 --- a/docs/source/siteadmin/relnotes.rst +++ b/docs/source/siteadmin/relnotes.rst @@ -34,6 +34,7 @@ This chapter has important information about our current and previous releases. - Set videos to preload="metadata" to prevent upfront download [trac#5625] (Michael McMahon) - Add a "Troubleshooting" page to the documentation (Ben Sturmfels) - Add Ubuntu 20.04 CI build and reinstate Debian 10 CI build (Ben Sturmfels) +- Switch from `py-bcrypt` to `bcrypt` (Elisei Roca) 0.12.0 diff --git a/guix-env.scm b/guix-env.scm index efe400ac..b0c0a171 100644 --- a/guix-env.scm +++ b/guix-env.scm @@ -207,7 +207,7 @@ ("python-openid" ,python-openid) ; For OpenID plugin ("python-pastescript" ,python-pastescript) ("python-pillow" ,python-pillow) - ("python-py-bcrypt" ,python-py-bcrypt) + ("python-bcrypt" ,python-bcrypt) ("python-pyld" ,python-pyld) ("python-pytz" ,python-pytz) ("python-requests" ,python-requests) ; For batchaddmedia diff --git a/mediagoblin/plugins/basic_auth/tools.py b/mediagoblin/plugins/basic_auth/tools.py index 5b89e51b..fcc00b72 100644 --- a/mediagoblin/plugins/basic_auth/tools.py +++ b/mediagoblin/plugins/basic_auth/tools.py @@ -40,7 +40,7 @@ def bcrypt_check_password(raw_pass, stored_hash, extra_salt=None): if extra_salt: raw_pass = f"{extra_salt}:{raw_pass}" - hashed_pass = bcrypt.hashpw(raw_pass.encode('utf-8'), stored_hash) + hashed_pass = bcrypt.hashpw(raw_pass.encode('utf-8'), stored_hash.encode('utf-8')) # Reduce risk of timing attacks by hashing again with a random # number (thx to zooko on this advice, which I hopefully @@ -66,8 +66,7 @@ def bcrypt_gen_password_hash(raw_pass, extra_salt=None): if extra_salt: raw_pass = f"{extra_salt}:{raw_pass}" - return str( - bcrypt.hashpw(raw_pass.encode('utf-8'), bcrypt.gensalt())) + return bcrypt.hashpw(raw_pass.encode('utf-8'), bcrypt.gensalt()).decode() def fake_login_attempt(): @@ -81,9 +80,9 @@ def fake_login_attempt(): """ rand_salt = bcrypt.gensalt(5) - hashed_pass = bcrypt.hashpw(str(random.random()), rand_salt) + hashed_pass = bcrypt.hashpw(str(random.random()).encode('utf8'), rand_salt) - randplus_stored_hash = bcrypt.hashpw(str(random.random()), rand_salt) + randplus_stored_hash = bcrypt.hashpw(str(random.random()).encode('utf8'), rand_salt) randplus_hashed_pass = bcrypt.hashpw(hashed_pass, rand_salt) randplus_stored_hash == randplus_hashed_pass diff --git a/setup.cfg b/setup.cfg index 5f9f0408..fb7d8c03 100644 --- a/setup.cfg +++ b/setup.cfg @@ -56,7 +56,7 @@ install_requires = Markdown oauthlib PasteScript - py-bcrypt + bcrypt PyLD<2.0.0 # Breaks a Python 3 test if >= 2.0.0. python-dateutil pytz -- 2.45.2