password hashing

2025-08-22 14:33:33 -07:00 · 2021-02-21 13:50:17 -09:00 · 2021-02-21 13:50:17 -09:00 · a376699063
commit a376699063
parent e911f781e0
4 changed files with 37 additions and 3 deletions
--- a/mealie/core/security.py
+++ b/mealie/core/security.py
@ -0,0 +1,29 @@
+from passlib.context import CryptContext
+
+pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
+
+
+def verify_password(plain_password: str, hashed_password: str) -> bool:
+    """Compares a plain string to a hashed password
+
+    Args:
+        plain_password (str): raw password string
+        hashed_password (str): hashed password from the database
+
+    Returns:
+        bool: Returns True if a match return False
+    """
+    return pwd_context.verify(plain_password, hashed_password)
+
+
+def get_password_hash(password: str) -> str:
+    """Takes in a raw password and hashes it. Used prior to saving
+    a new password to the database.
+
+    Args:
+        password (str): Password String
+
+    Returns:
+        str: Hashed Password
+    """
+    return pwd_context.hash(password)
--- a/mealie/routes/deps.py
+++ b/mealie/routes/deps.py
@ -1,4 +1,4 @@
-from app_config import SECRET
+from core.config import SECRET
 from db.database import db
 from db.db_setup import create_session
 from fastapi_login import LoginManager
--- a/mealie/routes/users/auth.py
+++ b/mealie/routes/users/auth.py
@ -1,3 +1,4 @@
+from core.security import verify_password
 from db.db_setup import generate_session
 from fastapi import APIRouter, Depends
 from fastapi.security import OAuth2PasswordRequestForm
@ -17,9 +18,10 @@ def token(
    password = data.password

    user = query_user(email, session)
+    print(user)
    if not user:
        raise InvalidCredentialsException  # you can also use your own HTTPException
-    elif password != user["password"]:
+    elif not verify_password(password, user["password"]):
        raise InvalidCredentialsException

    access_token = manager.create_access_token(data=dict(sub=email))
--- a/mealie/routes/users/crud.py
+++ b/mealie/routes/users/crud.py
@ -1,3 +1,4 @@
+from core.security import get_password_hash
 from db.database import db
 from db.db_setup import generate_session
 from fastapi import APIRouter, Depends
@ -16,8 +17,9 @@ async def create_user(
 ):
    """ Returns a list of all user in the Database """

+    new_user.password = get_password_hash(new_user.password)
+
    data = db.users.create(session, new_user.dict())
-    print(data)
    return data


@ -47,6 +49,7 @@ async def update_user(
    session: Session = Depends(generate_session),
 ):
    current_user_id = current_user.get("id")
+    new_data.password = get_password_hash(new_data.password)
    is_superuser = current_user.get("is_superuser")
    if current_user_id == id or is_superuser:
        return db.users.update(session, id, new_data.dict())