diff --git a/backend/auth.py b/backend/auth.py index 825e67c..49de82a 100644 --- a/backend/auth.py +++ b/backend/auth.py @@ -1,6 +1,7 @@ from __future__ import annotations import os +import hashlib from datetime import datetime, timedelta, timezone from fastapi import Depends, HTTPException @@ -26,12 +27,23 @@ JWT_ALG = _env("JWT_ALG", "HS256") JWT_EXPIRES_MINUTES = int(_env("JWT_EXPIRES_MINUTES", "480")) # 8h +def _bcrypt_safe_password(password: str) -> str: + """ + bcrypt only uses first 72 bytes of the input. + To support long passwords safely, pre-hash using SHA-256 when needed. + """ + raw = password.encode("utf-8") + if len(raw) <= 72: + return password + return hashlib.sha256(raw).hexdigest() + + def hash_password(password: str) -> str: - return pwd_context.hash(password) + return pwd_context.hash(_bcrypt_safe_password(password)) def verify_password(password: str, password_hash: str) -> bool: - return pwd_context.verify(password, password_hash) + return pwd_context.verify(_bcrypt_safe_password(password), password_hash) def create_access_token(*, user_id: str) -> str: