This commit is contained in:
2026-04-08 00:44:43 +03:00
parent 1c451016f9
commit d3f6736a2b
3 changed files with 8 additions and 35 deletions

View File

@@ -1,7 +1,6 @@
from __future__ import annotations
import os
import hashlib
from datetime import datetime, timedelta, timezone
from fastapi import Depends, HTTPException
@@ -13,10 +12,10 @@ from sqlalchemy.orm import Session
from backend.db import get_db
from backend.models import User
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
pwd_context = CryptContext(schemes=["argon2"], deprecated="auto")
bearer = HTTPBearer(auto_error=False)
AUTH_VERSION = "prehash-sha256-2026-04-07"
AUTH_VERSION = "argon2-2026-04-07"
def _env(name: str, default: str) -> str:
@@ -29,38 +28,23 @@ JWT_ALG = _env("JWT_ALG", "HS256")
JWT_EXPIRES_MINUTES = int(_env("JWT_EXPIRES_MINUTES", "480")) # 8h
def _bcrypt_safe_password(password: str) -> str:
"""
bcrypt only uses first 72 bytes of the input.
To support long passwords safely, pre-hash using SHA-256 when needed.
"""
raw = password.encode("utf-8")
if len(raw) <= 72:
return password
return hashlib.sha256(raw).hexdigest()
def hash_password(password: str) -> str:
safe = _bcrypt_safe_password(password)
try:
return pwd_context.hash(safe)
return pwd_context.hash(password)
except Exception as e:
orig_len = len(password.encode("utf-8"))
safe_len = len(safe.encode("utf-8"))
raise RuntimeError(
f"{str(e)} (orig_bytes_len={orig_len}, safe_bytes_len={safe_len}, safe_type={type(safe).__name__})"
f"{str(e)} (orig_bytes_len={orig_len})"
) from e
def verify_password(password: str, password_hash: str) -> bool:
safe = _bcrypt_safe_password(password)
try:
return pwd_context.verify(safe, password_hash)
return pwd_context.verify(password, password_hash)
except Exception as e:
orig_len = len(password.encode("utf-8"))
safe_len = len(safe.encode("utf-8"))
raise RuntimeError(
f"{str(e)} (orig_bytes_len={orig_len}, safe_bytes_len={safe_len}, safe_type={type(safe).__name__})"
f"{str(e)} (orig_bytes_len={orig_len})"
) from e