From 3e990cae7e19b7b597a741e22c4f4ce898ad9011 Mon Sep 17 00:00:00 2001 From: derekc Date: Mon, 25 May 2026 01:41:27 -0700 Subject: [PATCH] Replace passlib with direct bcrypt calls, drop passlib dependency passlib is unmaintained and incompatible with bcrypt 5.0.0 due to its internal wrap-bug detection test exceeding bcrypt's 72-byte password limit. Co-Authored-By: Claude Sonnet 4.6 --- backend/auth.py | 9 +++------ backend/requirements.txt | 1 - 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/backend/auth.py b/backend/auth.py index fe40000..9a68ca0 100644 --- a/backend/auth.py +++ b/backend/auth.py @@ -2,8 +2,8 @@ import os from datetime import datetime, timedelta, timezone from typing import Optional +import bcrypt from jose import JWTError, jwt -from passlib.context import CryptContext from fastapi import Cookie, Depends, HTTPException, Response, status from sqlalchemy.orm import Session @@ -16,15 +16,12 @@ ACCESS_TOKEN_EXPIRE_DAYS = 30 COOKIE_NAME = "token" SECURE_COOKIES = os.environ.get("SECURE_COOKIES", "true").lower() == "true" -pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto") - - def verify_password(plain_password: str, hashed_password: str) -> bool: - return pwd_context.verify(plain_password, hashed_password) + return bcrypt.checkpw(plain_password.encode(), hashed_password.encode()) def hash_password(password: str) -> str: - return pwd_context.hash(password) + return bcrypt.hashpw(password.encode(), bcrypt.gensalt()).decode() def create_access_token(user_id: int, username: str, is_admin: bool, user_timezone: str = "UTC", admin_id: Optional[int] = None) -> str: diff --git a/backend/requirements.txt b/backend/requirements.txt index ee0bfa6..4f66cb5 100644 --- a/backend/requirements.txt +++ b/backend/requirements.txt @@ -5,6 +5,5 @@ pymysql==1.2.0 cryptography==48.0.0 pydantic==2.13.4 python-jose[cryptography]==3.5.0 -passlib[bcrypt]==1.7.4 bcrypt==5.0.0 httpx==0.28.1