refactor(auth): use Python stdlib instead of deprecated passlib (#614)

refactor(auth): use Python stdlib instead of deprecated passlib
test(auth): add test to ensure passlib compatibility

Author: BlobbyBob

client/cypress/support/commands.ts

@@ -6,4 +6,5 @@ Cypress.Commands.add('login' as any, () => {
     .type('[email protected]');
   cy.get('[data-cy="login-form-password"] input').focus().type('admin');
   cy.get('[data-cy="login-form-submit"]').click();
+  cy.url().should('not.eq', 'http://localhost:4200/login');
 });

server/Pipfile

@@ -7,7 +7,6 @@ name = "pypi"
 pillow = "*"
 flask = "*"
 flask-jwt-extended = "*"
-passlib = "*"
 flask-sqlalchemy = "*"
 python-dateutil = "*"
 flask-cors = "*"

server/Pipfile.lock

@@ -1,6 +1,8 @@
+import secrets
+from base64 import b64decode, b64encode
+from hashlib import pbkdf2_hmac
 from typing import Self
 
-from passlib.hash import pbkdf2_sha256
 from sqlalchemy.dialects.postgresql import UUID
 
 from extensions import db
@@ -43,11 +45,33 @@ class User(HasSlug, IsSearchable, BaseEntity):
 
     @staticmethod
     def generate_hash(password):
-        return pbkdf2_sha256.hash(password)
+        # recommended iteration count by OWASP cheat sheet
+        # https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
+        iterations = 600_000
+        salt = secrets.token_bytes(16)
+        hash_value = pbkdf2_hmac("sha256", password.encode(), salt, iterations)
+
+        salt_encoded = b64encode(salt, altchars=b"./").decode().rstrip("=")
+        hash_encoded = b64encode(hash_value, altchars=b"./").decode().rstrip("=")
+
+        return f"$pbkdf2-sha256${iterations}${salt_encoded}${hash_encoded}"
 
     @staticmethod
     def verify_hash(password, password_hash):
-        return pbkdf2_sha256.verify(password, password_hash)
+        if not password_hash.startswith("$pbkdf2-sha256$") or password_hash.count("$") != 4:
+            raise ValueError("Invalid password hash")
+
+        details = password_hash[15:].split("$")  # Remove known prefix
+        iterations = int(details[0])
+
+        # base64 padding is required
+        # this workaround is probably CPython specific, but simplifies the code
+        salt = b64decode(details[1] + "===", altchars=b"./")
+        known_hash = b64decode(details[2] + "===", altchars=b"./")
+
+        new_hash = pbkdf2_hmac("sha256", password.encode(), salt, iterations)
+
+        return secrets.compare_digest(new_hash, known_hash)
 
     @classmethod
     def find_by_reset_password_hash(cls, password_hash) -> Self | None:

server/src/models/user.py

@@ -8,7 +8,6 @@
 from models.enums.map_marker_type_enum import MapMarkerType
 from models.file import File
 from models.user import User
-from tests.conftest import admin_token
 
 
 def test_successful_login(client):
@@ -203,7 +202,6 @@ def test_revoked_access_token_behaviour(client, member_token):
 
 
 def test_revoked_refresh_token_behaviour(client, admin_refresh_token):
-    refresh_token = ""
     rv = client.post("/api/logout/refresh", token=admin_refresh_token)
     assert rv.status_code == 200
     res = rv.json
@@ -305,3 +303,12 @@ def test_permission_levels(client, user_token, member_token, moderator_token):
 
     rv = client.post("/api/crags", token=moderator_token, json=crag_data)
     assert rv.status_code == 201
+
+
+def test_passlib_compatibility():
+    # passlib.hash.pbkdf2_sha256.hash("abc")
+    hash1 = "$pbkdf2-sha256$29000$2HtPiVGKEcKYU2pt7R1jTA$wXMP6Wpr6FdM2Pnb.bMG0nVBmBmaX6WzPm2g0.GVHIU"
+    # passlib.hash.pbkdf2_sha256.hash("⚡🏜️🦥")
+    hash2 = "$pbkdf2-sha256$29000$bo3xvtc6pzTm/F9L6V2LMQ$9voplTQmhlXiJakG38j/e5QMOGZmfA5xbQtE2Xf5XKE"
+    assert User.verify_hash("abc", hash1), "Hashing compatilibity error"
+    assert User.verify_hash("⚡🏜️🦥", hash2), "Unicode hashing compatibility error"