Updated password encryption to argon2

Author: Seluj78

backend/PyMatcha/models/user.py

@@ -19,7 +19,6 @@
 from __future__ import annotations
 
 import datetime
-import hashlib
 import logging
 from typing import Any
 from typing import Dict
@@ -64,11 +63,6 @@ class User(Model):
     confirmed_on = Field(datetime.datetime, fmt="%Y-%m-%d %H:%M:%S")
     previous_reset_token = Field(str)
 
-    def check_password(self, password: str) -> bool:
-        logging.debug("Checking password again {} hashed password".format(self.id))
-        _hash, salt = self.password.split(":")
-        return _hash == hashlib.sha3_512(salt.encode() + password.encode()).hexdigest()
-
     @staticmethod
     def create(
         first_name: str,

backend/PyMatcha/routes/api/auth/login.py

@@ -35,10 +35,10 @@
 from PyMatcha.utils.decorators import validate_params
 from PyMatcha.utils.errors import NotFoundError
 from PyMatcha.utils.errors import UnauthorizedError
+from PyMatcha.utils.password import check_password
 from PyMatcha.utils.success import Success
 from PyMatcha.utils.success import SuccessOutput
 
-
 REQUIRED_KEYS_LOGIN = {"username": str, "password": str}
 
 auth_login_bp = Blueprint("auth_login", __name__)
@@ -56,7 +56,7 @@ def auth_login():
     except NotFoundError:
         current_app.logger.debug("/auth/login -> User not found")
         raise UnauthorizedError("Incorrect username or password")
-    if not u.check_password(password):
+    if not check_password(u.password, password):
         current_app.logger.debug("/auth/login -> Password invalid")
         raise UnauthorizedError("Incorrect username or password")
 

backend/PyMatcha/routes/api/profile/edit.py

@@ -35,6 +35,7 @@
 from PyMatcha.utils.errors import UnauthorizedError
 from PyMatcha.utils.mail import send_mail_html
 from PyMatcha.utils.mail import send_mail_text
+from PyMatcha.utils.password import check_password
 from PyMatcha.utils.success import Success
 
 profile_edit_bp = Blueprint("profile_edit", __name__)
@@ -126,7 +127,7 @@ def edit_password():
     data = request.get_json()
     old_password = data["old_password"]
     new_password = data["new_password"]
-    if not current_user.check_password(old_password):
+    if not check_password(current_user.password, old_password):
         raise UnauthorizedError("Incorrect password")
     current_user.password = hash_password(new_password)
     current_user.save()

backend/PyMatcha/utils/password.py

@@ -16,12 +16,14 @@
     You should have received a copy of the GNU General Public License
     along with this program.  If not, see <https://www.gnu.org/licenses/>.
 """
-import hashlib
-import logging
-import uuid
+from argon2 import PasswordHasher
+
+ph = PasswordHasher()
 
 
 def hash_password(password: str) -> str:
-    salt = uuid.uuid4().hex
-    logging.debug("Hashing password with salt {}".format(salt))
-    return hashlib.sha3_512(salt.encode() + password.encode()).hexdigest() + ":" + salt
+    return ph.hash(password)
+
+
+def check_password(hash: str, password: str) -> bool:
+    return ph.verify(hash, password)

backend/requirements.txt

@@ -27,4 +27,6 @@ pre-commit==2.5.1
 names==0.3.0
 lorem==0.1.1
 future==0.18.2
-ip2geotools==0.1.5
+ip2geotools==0.1.5
+
+argon2-cffi==20.1.0