search

anomaly / lab-python-server

A template for building containerised web applications in Python with a recommended set o f dependencies and tooling
Apache License 2.0
11 stars 2 forks source link

Move to using `pyca/bcrypt` for password hashing #58

Closed devraj closed 1 year ago

devraj commented 1 year ago

Is your feature request related to a problem? Please describe. We've been using passlib to hash passwords.

The library has not receieved any updates in over two years. The runtimes are now throwing warnings for one of it's dependencies which will be dropped in Python 3.13 (first seen when I was running tests)

================================================================== warnings summary ==================================================================
../usr/local/lib/python3.11/site-packages/passlib/utils/__init__.py:854
  /usr/local/lib/python3.11/site-packages/passlib/utils/__init__.py:854: DeprecationWarning: 'crypt' is deprecated and slated for removal in Python 3.13
    from crypt import crypt as _crypt

../usr/local/lib/python3.11/site-packages/kombu/utils/compat.py:82
  /usr/local/lib/python3.11/site-packages/kombu/utils/compat.py:82: DeprecationWarning: SelectableGroups dict interface is deprecated. Use select.
    for ep in importlib_metadata.entry_points().get(namespace, [])

A ticket was lodged in November 2022, and by the looks of it the developers have not even triaged much for a while.

Should we consider an alternative to using passlib?

Describe the solution you'd like Carefully evaluate other alternatives, preferably one that provides higher level implementations.

We do not want to maintain any cryptography related items if we don't have to.

Describe alternatives you've considered NA

Additional context See repository for inactivity

devraj commented 1 year ago

pyca/bcrypt has an implementation of hashed password which can be used as:

>>> import bcrypt
>>> password = b"super secret password"
>>> # Hash a password for the first time, with a randomly-generated salt
>>> hashed = bcrypt.hashpw(password, bcrypt.gensalt())
>>> # Check that an unhashed password matches one that has previously been
>>> # hashed
>>> if bcrypt.checkpw(password, hashed):
...     print("It Matches!")
... else:
...     print("It Does not Match :(")

this drops the need for using passlib, from here we need to: