Unpin `bcrypt` version constratin

[tcompa]

EDIT: we are now pinning bcrypt to 4.0.1. This issue remain open as a reminder to unpin it, as soon as the issue is fixed upstream.

---

With python 3.10.12 and fractal-server 1.4.0a8.

WARNING:passlib.handlers.bcrypt:(trapped) error reading bcrypt version
Traceback (most recent call last):
  File "/home/tommaso/Fractal/fractal-server/tests/data/example_server_startup/venv/lib/python3.10/site-packages/passlib/handlers/bcrypt.py", line 620, in _load_backend_mixin
    version = _bcrypt.__about__.__version__
AttributeError: module 'bcrypt' has no attribute '__about__'

this is with

$ pip show bcrypt
Name: bcrypt
Version: 4.1.1
Summary: Modern password hashing for your software and your servers
Home-page: 
Author: 
Author-email: The Python Cryptographic Authority developers <cryptography-dev@python.org>
License: Apache-2.0
Location: /home/tommaso/Fractal/fractal-server/tests/data/example_server_startup/venv/lib/python3.10/site-packages
Requires: 
Required-by: 

---

The warning is gone if we bring back bcrypt to 4.0.1:

$ pip install bcrypt==4.0.1
Collecting bcrypt==4.0.1
  Using cached bcrypt-4.0.1-cp36-abi3-manylinux_2_28_x86_64.whl (593 kB)
Installing collected packages: bcrypt
  Attempting uninstall: bcrypt
    Found existing installation: bcrypt 4.1.1
    Uninstalling bcrypt-4.1.1:
      Successfully uninstalled bcrypt-4.1.1
Successfully installed bcrypt-4.0.1

$ fractalctl start
WARNING:root:FRACTAL_TASKS_DIR="Tasks" is not an absolute path; converting it to "/home/tommaso/Fractal/fractal-server/tests/data/example_server_startup/Tasks"
fractal_server.app.db
INFO:     Started server process [163782]
INFO:     Waiting for application startup.
2023-11-29 17:26:21,109 - fractal_server.app.db - WARNING - SQLite is supported (for version >=3.37) but discouraged in production. Given its partial support for ForeignKey constraints, database consistency cannot be guaranteed.
2023-11-29 17:26:21,369 - fractal_server.main - INFO - User admin@fractal.xy created
INFO:     Application startup complete.
INFO:     Uvicorn running on http://127.0.0.1:8000 (Press CTRL+C to quit)

---

Note that 4.1.0 had some issues (ref https://github.com/pyca/bcrypt/issues/677), but it was indeed yanked.

[tcompa]

This seems quite harmless.

In https://foss.heptapod.net/python-libs/passlib/-/blob/branch/stable/passlib/handlers/bcrypt.py, there is this block:

        try:
            version = _bcrypt.__about__.__version__
        except:
            log.warning("(trapped) error reading bcrypt version", exc_info=True)
            version = '<unknown>'

but the underlying bcrypt behavior changed when passing from 4.0.1 to 4.1.1:

$ pip install bcrypt==4.0.1
Collecting bcrypt==4.0.1
  Using cached bcrypt-4.0.1-cp36-abi3-manylinux_2_28_x86_64.whl (593 kB)
Installing collected packages: bcrypt
  Attempting uninstall: bcrypt
    Found existing installation: bcrypt 4.1.1
    Uninstalling bcrypt-4.1.1:
      Successfully uninstalled bcrypt-4.1.1
Successfully installed bcrypt-4.0.1

$ python -c "import bcrypt; print(bcrypt.__about__.__version__)"
4.0.1

$ python -c "import bcrypt; print(bcrypt.__version__)"
4.0.1

$ pip install bcrypt==4.1.1
Collecting bcrypt==4.1.1
  Using cached bcrypt-4.1.1-cp37-abi3-manylinux_2_28_x86_64.whl (699 kB)
Installing collected packages: bcrypt
  Attempting uninstall: bcrypt
    Found existing installation: bcrypt 4.0.1
    Uninstalling bcrypt-4.0.1:
      Successfully uninstalled bcrypt-4.0.1
Successfully installed bcrypt-4.1.1

$ python -c "import bcrypt; print(bcrypt.__about__.__version__)"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
AttributeError: module 'bcrypt' has no attribute '__about__'

$ python -c "import bcrypt; print(bcrypt.__version__)"
4.1.1

[tcompa]

Ref https://foss.heptapod.net/python-libs/passlib/-/issues/190 (although it should be noted that passlib is not actively maintained at the moment).

[tcompa]

bcrypt is now pinned to 4.0.1, and the issue remains open as a reminder for unpinning

[tcompa]

For the record, this also blocks the update of fastapi-users to v13.0.0.