Replace py-bcrypt with bcrypt.

Almost a drop-in replacement, only needed some str - byte conversions. The former has not seen a release since 2013, the latter is active with a last release on Aug. 16th 2020. Signed-off-by: Ben Sturmfels <ben@sturm.com.au>
2021-09-22 00:00:19 +02:00 · 2021-09-22 00:00:19 +02:00 · fe01dd00fb
commit fe01dd00fb
parent 692261d405
4 changed files with 7 additions and 7 deletions
--- a/docs/source/siteadmin/relnotes.rst
+++ b/docs/source/siteadmin/relnotes.rst
@ -34,6 +34,7 @@ This chapter has important information about our current and previous releases.
 - Set videos to preload="metadata" to prevent upfront download [trac#5625] (Michael McMahon)
 - Add a "Troubleshooting" page to the documentation (Ben Sturmfels)
 - Add Ubuntu 20.04 CI build and reinstate Debian 10 CI build (Ben Sturmfels)
+- Switch from `py-bcrypt` to `bcrypt` (Elisei Roca)


 0.12.0
--- a/guix-env.scm
+++ b/guix-env.scm
@ -207,7 +207,7 @@
       ("python-openid" ,python-openid) ; For OpenID plugin
       ("python-pastescript" ,python-pastescript)
       ("python-pillow" ,python-pillow)
-       ("python-py-bcrypt" ,python-py-bcrypt)
+       ("python-bcrypt" ,python-bcrypt)
       ("python-pyld" ,python-pyld)
       ("python-pytz" ,python-pytz)
       ("python-requests" ,python-requests) ; For batchaddmedia
--- a/mediagoblin/plugins/basic_auth/tools.py
+++ b/mediagoblin/plugins/basic_auth/tools.py
@ -40,7 +40,7 @@ def bcrypt_check_password(raw_pass, stored_hash, extra_salt=None):
    if extra_salt:
        raw_pass = f"{extra_salt}:{raw_pass}"

-    hashed_pass = bcrypt.hashpw(raw_pass.encode('utf-8'), stored_hash)
+    hashed_pass = bcrypt.hashpw(raw_pass.encode('utf-8'), stored_hash.encode('utf-8'))

    # Reduce risk of timing attacks by hashing again with a random
    # number (thx to zooko on this advice, which I hopefully
@ -66,8 +66,7 @@ def bcrypt_gen_password_hash(raw_pass, extra_salt=None):
    if extra_salt:
        raw_pass = f"{extra_salt}:{raw_pass}"

-    return str(
-        bcrypt.hashpw(raw_pass.encode('utf-8'), bcrypt.gensalt()))
+    return bcrypt.hashpw(raw_pass.encode('utf-8'), bcrypt.gensalt()).decode()


 def fake_login_attempt():
@ -81,9 +80,9 @@ def fake_login_attempt():
    """
    rand_salt = bcrypt.gensalt(5)

-    hashed_pass = bcrypt.hashpw(str(random.random()), rand_salt)
+    hashed_pass = bcrypt.hashpw(str(random.random()).encode('utf8'), rand_salt)

-    randplus_stored_hash = bcrypt.hashpw(str(random.random()), rand_salt)
+    randplus_stored_hash = bcrypt.hashpw(str(random.random()).encode('utf8'), rand_salt)
    randplus_hashed_pass = bcrypt.hashpw(hashed_pass, rand_salt)

    randplus_stored_hash == randplus_hashed_pass
--- a/setup.cfg
+++ b/setup.cfg
@ -56,7 +56,7 @@ install_requires =
    Markdown
    oauthlib
    PasteScript
-    py-bcrypt
+    bcrypt
    PyLD<2.0.0  # Breaks a Python 3 test if >= 2.0.0.
    python-dateutil
    pytz