update to bcrypt 5.0 (incomplete)

Miguel Barão
1 parent 181d7eb8
Showing 4 changed files with 25 additions and 14 deletions Show diff stats
aprendizations/initdb.py
aprendizations/learnapp.py
aprendizations/serve.py
setup.py
@@ -186,7 +186,10 @@ def main():
         print(f'  {student["uid"]}, {student["name"]}')
  
         passwd = args.pw or student['uid']
-        hashed_pw = bcrypt.hashpw(passwd.encode('utf-8'), bcrypt.gensalt())
+        # passwd = passwd[:72]  # HACK: truncate to avoid exception on bcrypt 5.0
+        print(type(passwd), passwd)
+        hashed_pw = bcrypt.hashpw(passwd[:72].encode('utf-8'), bcrypt.gensalt())
+        print(type(hashed_pw), hashed_pw)
         session.add(Student(id=student['uid'],
                             name=student['name'],
                             password=hashed_pw))
@@ -204,16 +207,19 @@ def main():
         print('\nUpdating passwords of students:')
         count = 0
         for sid in args.update:
+            passwd = args.pw or sid
+            hashed_pw = bcrypt.hashpw(passwd[:72].encode('utf-8'), bcrypt.gensalt())
+            print(type(passwd), passwd)
+            print(type(hashed_pw), hashed_pw)
             try:
-                query = select(Student).filter_by(id=sid)
+                query = select(Student).where(Student.id == sid)
                 student = session.execute(query).scalar_one()
+                student.password = hashed_pw  # FIXME: update not working
             except NoResultFound:
                 print(f'  -> student {sid} does not exist!')
                 continue
             count += 1
             print(f'  {sid}, {student.name}')
-            passwd = (args.pw or sid).encode('utf-8')
-            student.password = str(bcrypt.hashpw(passwd, bcrypt.gensalt()))
  
         session.commit()
         print(f'Total {count} password(s) updated.')
@@ -165,10 +165,14 @@ class Application():
             logger.info('User "%s" does not exist', uid)
             return False
  
-        loop = asyncio.get_running_loop()
+        # NOTE: 
+        # bcrypt 5.0 raises ValueError exception for password larger than 72 chars.
+        # I'm truncating the password to avoid this exception
+        print(type(password.encode('utf-8')), password.encode('utf-8'))
+        print(type(student.password), student.password)
         pw_ok: bool = await loop.run_in_executor(None,
                                                  bcrypt.checkpw,
-                                                 password.encode('utf-8'),
+                                                 password[:72].encode('utf-8'),
                                                  student.password)
  
         if pw_ok:
@@ -209,7 +213,7 @@ class Application():
         logger.info('User "%s" logged out', uid)
  
     # ------------------------------------------------------------------------
-    async def change_password(self, uid: str, password: str) -> bool:
+    async def change_password(self, uid: str, password: str, loop) -> bool:
         '''
         Change user Password.
         Returns True if password is successfully changed
@@ -217,15 +221,15 @@ class Application():
         if not password:
             return False
  
-        loop = asyncio.get_running_loop()
+        # loop = asyncio.get_running_loop()
         hashed_pw = await loop.run_in_executor(None,
-                                               bcrypt.hashpw,
-                                               password.encode('utf-8'),
-                                               bcrypt.gensalt())
+                                            bcrypt.hashpw,
+                                            password[:72].encode('utf-8'),
+                                            bcrypt.gensalt())
  
         with Session(self._engine) as session:
             query = select(Student).where(Student.id == uid)
-            session.execute(query).scalar_one().password = str(hashed_pw)
+            session.execute(query).scalar_one().password = hashed_pw
             session.commit()
  
         logger.info('User "%s" changed password', uid)
@@ -84,7 +84,8 @@ class ChangePasswordHandler(BaseHandler):
         '''Try to change password and show success/fail status'''
         userid = self.current_user
         passwd = self.get_body_arguments('new_password')[0]  # FIXME porque [0]?
-        ok = await self.app.change_password(userid, passwd)
+        loop = tornado.ioloop.IOLoop.current()
+        ok = await self.app.change_password(userid, passwd, loop)
         notification = self.render_string('notification.html', ok=ok)
         self.write({'msg': to_unicode(notification)})
  
@@ -25,7 +25,7 @@ setup(
         'pyyaml>=6.0',
         'pygments>=2.19',
         'sqlalchemy>=2.0.37',
-        'bcrypt>=4.2.1',
+        'bcrypt>=5.0',
         'networkx>=3.4.2',
         'pandas>=2.3',
         'openpyxl'
...	...	@@ -186,7 +186,10 @@ def main():
186	186	print(f' {student["uid"]}, {student["name"]}')
187	187
188	188	passwd = args.pw or student['uid']
189		- hashed_pw = bcrypt.hashpw(passwd.encode('utf-8'), bcrypt.gensalt())
	189	+ # passwd = passwd[:72] # HACK: truncate to avoid exception on bcrypt 5.0
	190	+ print(type(passwd), passwd)
	191	+ hashed_pw = bcrypt.hashpw(passwd[:72].encode('utf-8'), bcrypt.gensalt())
	192	+ print(type(hashed_pw), hashed_pw)
190	193	session.add(Student(id=student['uid'],
191	194	name=student['name'],
192	195	password=hashed_pw))
...	...	@@ -204,16 +207,19 @@ def main():
204	207	print('\nUpdating passwords of students:')
205	208	count = 0
206	209	for sid in args.update:
	210	+ passwd = args.pw or sid
	211	+ hashed_pw = bcrypt.hashpw(passwd[:72].encode('utf-8'), bcrypt.gensalt())
	212	+ print(type(passwd), passwd)
	213	+ print(type(hashed_pw), hashed_pw)
207	214	try:
208		- query = select(Student).filter_by(id=sid)
	215	+ query = select(Student).where(Student.id == sid)
209	216	student = session.execute(query).scalar_one()
	217	+ student.password = hashed_pw # FIXME: update not working
210	218	except NoResultFound:
211	219	print(f' -> student {sid} does not exist!')
212	220	continue
213	221	count += 1
214	222	print(f' {sid}, {student.name}')
215		- passwd = (args.pw or sid).encode('utf-8')
216		- student.password = str(bcrypt.hashpw(passwd, bcrypt.gensalt()))
217	223
218	224	session.commit()
219	225	print(f'Total {count} password(s) updated.')
...	...
...	...	@@ -165,10 +165,14 @@ class Application():
165	165	logger.info('User "%s" does not exist', uid)
166	166	return False
167	167
168		- loop = asyncio.get_running_loop()
	168	+ # NOTE:
	169	+ # bcrypt 5.0 raises ValueError exception for password larger than 72 chars.
	170	+ # I'm truncating the password to avoid this exception
	171	+ print(type(password.encode('utf-8')), password.encode('utf-8'))
	172	+ print(type(student.password), student.password)
169	173	pw_ok: bool = await loop.run_in_executor(None,
170	174	bcrypt.checkpw,
171		- password.encode('utf-8'),
	175	+ password[:72].encode('utf-8'),
172	176	student.password)
173	177
174	178	if pw_ok:
...	...	@@ -209,7 +213,7 @@ class Application():
209	213	logger.info('User "%s" logged out', uid)
210	214
211	215	# ------------------------------------------------------------------------
212		- async def change_password(self, uid: str, password: str) -> bool:
	216	+ async def change_password(self, uid: str, password: str, loop) -> bool:
213	217	'''
214	218	Change user Password.
215	219	Returns True if password is successfully changed
...	...	@@ -217,15 +221,15 @@ class Application():
217	221	if not password:
218	222	return False
219	223
220		- loop = asyncio.get_running_loop()
	224	+ # loop = asyncio.get_running_loop()
221	225	hashed_pw = await loop.run_in_executor(None,
222		- bcrypt.hashpw,
223		- password.encode('utf-8'),
224		- bcrypt.gensalt())
	226	+ bcrypt.hashpw,
	227	+ password[:72].encode('utf-8'),
	228	+ bcrypt.gensalt())
225	229
226	230	with Session(self._engine) as session:
227	231	query = select(Student).where(Student.id == uid)
228		- session.execute(query).scalar_one().password = str(hashed_pw)
	232	+ session.execute(query).scalar_one().password = hashed_pw
229	233	session.commit()
230	234
231	235	logger.info('User "%s" changed password', uid)
...	...
...	...	@@ -84,7 +84,8 @@ class ChangePasswordHandler(BaseHandler):
84	84	'''Try to change password and show success/fail status'''
85	85	userid = self.current_user
86	86	passwd = self.get_body_arguments('new_password')[0] # FIXME porque [0]?
87		- ok = await self.app.change_password(userid, passwd)
	87	+ loop = tornado.ioloop.IOLoop.current()
	88	+ ok = await self.app.change_password(userid, passwd, loop)
88	89	notification = self.render_string('notification.html', ok=ok)
89	90	self.write({'msg': to_unicode(notification)})
90	91
...	...
...	...	@@ -25,7 +25,7 @@ setup(
25	25	'pyyaml>=6.0',
26	26	'pygments>=2.19',
27	27	'sqlalchemy>=2.0.37',
28		- 'bcrypt>=4.2.1',
	28	+ 'bcrypt>=5.0',
29	29	'networkx>=3.4.2',
30	30	'pandas>=2.3',
31	31	'openpyxl'
...	...