pallets-eco / flask-security

Quick and simple security for Flask applications
MIT License
649 stars 154 forks source link

Limiting `SECURITY_HASHING_SCHEMES` to sha256_crypt prevents the extension from loading #998

Closed savchenko closed 4 months ago

savchenko commented 4 months ago

Steps to reproduce

  1. Add SECURITY_HASHING_SCHEMES = ["sha256_crypt"] to the application config and initialise FST.
  2. Observe the error
Traceback (most recent call last):
  File "/home/user/.cache/pypoetry/virtualenvs/app-d3o9zfYz-py3.11/lib/python3.11/site-packages/flask/cli.py", line 937, in run_command
    app: WSGIApplication = info.load_app()
                           ^^^^^^^^^^^^^^^
  File "/home/user/.cache/pypoetry/virtualenvs/app-d3o9zfYz-py3.11/lib/python3.11/site-packages/flask/cli.py", line 335, in load_app
    app = locate_app(import_name, name)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/.cache/pypoetry/virtualenvs/app-d3o9zfYz-py3.11/lib/python3.11/site-packages/flask/cli.py", line 262, in locate_app
    return find_best_app(module)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/.cache/pypoetry/virtualenvs/app-d3o9zfYz-py3.11/lib/python3.11/site-packages/flask/cli.py", line 72, in find_best_app
    app = app_factory()
          ^^^^^^^^^^^^^
  File "/home/user/.shares/user_code/project/app/core/__init__.py", line 70, in create_app
    _ = Security(app, user_datastore)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/.cache/pypoetry/virtualenvs/app-d3o9zfYz-py3.11/lib/python3.11/site-packages/flask_security/core.py", line 1288, in __init__
    self.init_app(app, datastore, register_blueprint=register_blueprint)
  File "/home/user/.cache/pypoetry/virtualenvs/app-d3o9zfYz-py3.11/lib/python3.11/site-packages/flask_security/core.py", line 1432, in init_app
    self.hashing_context = _get_hashing_context(app)
                           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/.cache/pypoetry/virtualenvs/app-d3o9zfYz-py3.11/lib/python3.11/site-packages/flask_security/core.py", line 762, in _get_hashing_context
    return CryptContext(schemes=schemes, deprecated=deprecated)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/.cache/pypoetry/virtualenvs/app-d3o9zfYz-py3.11/lib/python3.11/site-packages/passlib/context.py", line 1402, in __init__
    self.load(kwds)
  File "/home/user/.cache/pypoetry/virtualenvs/app-d3o9zfYz-py3.11/lib/python3.11/site-packages/passlib/context.py", line 1597, in load
    config = _CryptConfig(source)
             ^^^^^^^^^^^^^^^^^^^^
  File "/home/user/.cache/pypoetry/virtualenvs/app-d3o9zfYz-py3.11/lib/python3.11/site-packages/passlib/context.py", line 636, in __init__
    self._init_options(source)
  File "/home/user/.cache/pypoetry/virtualenvs/app-d3o9zfYz-py3.11/lib/python3.11/site-packages/passlib/context.py", line 734, in _init_options
    key, value = norm_context_option(cat, key, value)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/.cache/pypoetry/virtualenvs/app-d3o9zfYz-py3.11/lib/python3.11/site-packages/passlib/context.py", line 789, in _norm_context_option
    raise KeyError("deprecated scheme not found "
KeyError: "deprecated scheme not found in policy: 'hex_md5'"
jwag956 commented 4 months ago

Be sure to also modify: SECURITY_DEPRECATED_HASHING_SCHEMES

savchenko commented 4 months ago

@jwag956 , I already have this:

SECURITY_DEPRECATED_HASHING_SCHEMES = ["hex_md5"]
SECURITY_HASHING_SCHEMES = ["sha256_crypt"]

Changing order doesn't seem to make any difference.

My intention is to remove md5 from the hashing algorithms leaving only sha256. Am I missing something obvious?

jwag956 commented 4 months ago

Possibly not a clear documentation as it should 'deprecated' means accepted but not used for encryption. So - if you want to not ACCEPT hex_md5 - remove it from the DEPRECATED list.

see: https://passlib.readthedocs.io/en/stable/lib/passlib.context.html

savchenko commented 4 months ago

Hopefully addressed with https://github.com/Flask-Middleware/flask-security/pull/1003