upgrade pass hashing to argon2

martinkirch · Aug 15, 2023 · da67af7 · da67af7
1 parent 25baf15
commit da67af7
Show file tree

Hide file tree

Showing 4 changed files with 170 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,10 +1,10 @@
 Changes and release history
 ===========================
 
-0.4.x
-=====
+0.4.x [upcoming]
+================
 
-Breaking changes: Showergel now requires Python 3.8 or more.
+Breaking changes: Showergel now requires Python 3.8 or more. **After installation, update the password of all users !!**
 
  - New feature [to be documented] : cartfolders
  - [internal] updates many Python and Javascript dependencies

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -31,6 +31,7 @@ toml = "^0.10.2"
 APScheduler = "^3.7.0"
 arrow = "^1.1.0"
 watchdog = "^3.0.0"
+argon2-cffi = "^23.1.0"
 
 [tool.poetry.dev-dependencies]
 pytest = "^7"

diff --git a/showergel/users.py b/showergel/users.py
@@ -7,15 +7,15 @@
 """
 
 import logging
-import crypt
 from datetime import datetime
-from hmac import compare_digest
 from typing import Type, List, Dict
 
 from sqlalchemy import Column, Integer, String
 from sqlalchemy.orm.session import Session
 from sqlalchemy.dialects.sqlite import JSON, DATETIME
 import arrow
+from argon2 import PasswordHasher
+from argon2.exceptions import VerifyMismatchError
 
 from showergel.db import Base
 
@@ -46,7 +46,8 @@ def list(cls, db:Type[Session]) -> List[Dict]:
 
     @classmethod
     def create(cls, db:Type[Session], username:String, password:String):
-        user = cls(username=username, password=crypt.crypt(password))
+        ph = PasswordHasher()
+        user = cls(username=username, password=ph.hash(password))
         db.add(user)
         db.flush()
         return user
@@ -59,8 +60,17 @@ def from_username(cls, db:Type[Session], username:String):
     def check(cls, db:Type[Session], username:String, password:String):
         user = cls.from_username(db, username)
         if user:
-            if compare_digest(crypt.crypt(password, user.password), user.password):
-                return user
+            ph = PasswordHasher()
+            try:
+                if ph.verify(user.password, password):
+                    if ph.check_needs_rehash(user.password):
+                        user.password = ph.hash(password)
+                        db.flush()
+                    return user
+            except VerifyMismatchError:
+                return None
+            except Exception as e:
+                _log.exception(e)
         return None
 
     @classmethod
@@ -69,4 +79,5 @@ def delete(cls, db:Type[Session], username:String):
             db.query(cls).filter(cls.username == username).delete()
 
     def update_password(self, new_password):
-        self.password = crypt.crypt(new_password)
+        ph = PasswordHasher()
+        self.password = ph.hash(new_password)