Crypt deprecation warning from passlib

[gpkc]

Describe the bug

Using passlib, which internally imports crypt, now gives a deprecation warning:

.venv/lib/python3.11/site-packages/passlib/utils/__init__.py:854
DeprecationWarning: 'crypt' is deprecated and slated for removal in Python 3.13
    from crypt import crypt as _crypt

[gpkc]

Found related issues:
https://foss.heptapod.net/python-libs/passlib/-/issues/148
https://foss.heptapod.net/python-libs/passlib/-/issues/187
https://foss.heptapod.net/python-libs/passlib/-/issues/188

#1301

[frankie567]

Indeed, but as we mentioned in #1301, there is nothing much we can do until passlib is updated 😓

[bkis]

As it seems quite unlikely passlib will receive any updates (it has been unmaintained for some years now), would it be possible to use bcrypt directly instead of relying on passlib? Or evalute possible alternatives?

[realitix]

Indeed it doesn't seem to be a good idea to rely on passlib anymore.

[JimScope]

Perhaps this option could be considered? #1345

[digitalkaoz]

passlib will never be fixed unless fixed there or forked.
its quite annoying and 3.13 is already at the front door, so not much time left until "fast-api-users wont work on 3.13 bugs"

[hasB4K]

It seems that @frankie567, the main maintainer of this projet, decided to create a passlib alternative of its own 3 weeks ago.
https://github.com/frankie567/pwdlib

He published on its blog a post explaining why he created this project, and that he wants to have pwdlib used in fastapi-users 🥳 : https://polar.sh/frankie567/posts/introducing-pwdlib-a-modern-password-hash-helper-for-python

I created a PasswordHelper using pwdlib in the meantime. If someone needs it, here it is:

import secrets
import string
import pwdlib
from fastapi_users.password import PasswordHelperProtocol


class PasswordHelper(PasswordHelperProtocol):
    def __init__(self, context=None) -> None:
        self.context = context
        if self.context is None:
            self.context = pwdlib.PasswordHash.recommended()

    def verify_and_update(self, plain_password: str, hashed_password: str) -> Tuple[bool, str]:
        return self.context.verify_and_update(password=plain_password, hash=hashed_password)

    def hash(self, password: str) -> str:
        return self.context.hash(password)

    @staticmethod
    def _generate_password(length):
        alphabet = string.ascii_letters + string.digits
        password = ''.join(secrets.choice(alphabet) for _ in range(length))
        return password

    def generate(self) -> str:
        return self._generate_password(20)

If you need a drop-in replacement, you will need the support of bcrypt, and you should use the following as a context:

self.context = PasswordHash((
    Argon2Hasher(),
    BcryptHasher(),
))

see https://frankie567.github.io/pwdlib/guide/#password-hashing

In any case, thank you @frankie567 🙏

[frankie567]

Hi @hasB4K 👋

That's indeed the plan, just didn't have time to tackle it yet 😊

[hasB4K]

Like @MatthewScholefield said here #1301 (comment), it seems that there is some news on the passlib side here.

I guess wait and see 🤷 🤞

[frankie567]

Indeed, but I think I'll still move forward pwdlib anyway. People will still be able to go back to passlib using a custom password helper if they want to.

[bkis]

I understand and I'm looking forward to what you're building there. If the relevant issues with passlib get fixed before your own lib is ready, it would still be nice if the passlib update finds its way into fastapi-users in the meantime. Thank you for all your work!

[frankie567]

I made the move and this is now fixed as of v13.0.0.

As I mention above, if you still want to use passlib, you can do so by implementing a custom PasswordHelper: https://fastapi-users.github.io/fastapi-users/latest/configuration/password-hash/#full-customization