Update password hasher to argon2 (#37)

* feat: Replace bcryp with argon2 for password hash References: - https://passlib.readthedocs.io/en/stable/narr/quickstart.html#recommended-hashes - https://pypi.org/project/argon2-cffi/ - https://pypi.org/project/bcrypt/ Signed-off-by: William José Moreno Reyes <williamjmorenor@gmail.com> * docs: Update docs Signed-off-by: William José Moreno Reyes <williamjmorenor@gmail.com> * Test: Update test Signed-off-by: William José Moreno Reyes <williamjmorenor@gmail.com> --------- Signed-off-by: William José Moreno Reyes <williamjmorenor@gmail.com>
bmosoluciones · Feb 21, 2024 · 52d24cf · 52d24cf
1 parent 72a166b
commit 52d24cf
Show file tree

Hide file tree

Showing 4 changed files with 82 additions and 7 deletions.
diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
@@ -80,7 +80,7 @@ Other libraries used in the project are:
 -   appdirs: App directories.
 -   bleach: HTML sanitisation.
 -   configobj: Configuration files parser.
--   bcrypt: Password hashing.
+-   argon2-cffi: Password hashing.
 -   loguru: Logging.
 -   markdown: Render markdown as HTML.
 -   python-ulid: Generate uniques id.

diff --git a/now_lms/auth.py b/now_lms/auth.py
@@ -27,7 +27,8 @@
 # ---------------------------------------------------------------------------------------
 # Librerias de terceros
 # ---------------------------------------------------------------------------------------
-from bcrypt import checkpw, gensalt, hashpw
+from argon2 import PasswordHasher
+from argon2.exceptions import VerifyMismatchError
 from flask import abort, flash
 from flask_login import current_user
 
@@ -37,13 +38,16 @@
 from now_lms.db import Usuario, database
 from now_lms.logs import log
 
-# pylint: disable=R0401
+
+ph = PasswordHasher()
 
 
 def proteger_passwd(clave):
-    """Devuelve una contraseña salteada con bcrytp."""
+    """Devuelve una contraseña salteada con argon2."""
+
+    _hash = ph.hash(clave.encode()).encode("utf-8")
 
-    return hashpw(clave.encode(), gensalt())
+    return _hash
 
 
 def validar_acceso(usuario_id, acceso):
@@ -52,7 +56,10 @@ def validar_acceso(usuario_id, acceso):
     log.trace("Verificando acceso de {usuario}", usuario=usuario_id)
     registro = Usuario.query.filter_by(usuario=usuario_id).first()
     if registro is not None:
-        clave_validada = checkpw(acceso.encode(), registro.acceso)
+        try:
+            clave_validada = ph.verify(registro.acceso, acceso.encode())
+        except VerifyMismatchError:
+            clave_validada = False
     else:  # pragma: no cover
         log.trace("No se encontro registro de usuario {usuario}", usuario=usuario_id)
         clave_validada = False

diff --git a/requirements.txt b/requirements.txt
@@ -1,9 +1,9 @@
 # Librerias de terceros
 alembic
 appdirs
+argon2-cffi
 babel
 bleach
-bcrypt
 configobj
 diskcache
 flask

diff --git a/tests/test_use_cases.py b/tests/test_use_cases.py
@@ -0,0 +1,68 @@
+# Copyright 2021 -2023 William José Moreno Reyes
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Contributors:
+# - William José Moreno Reyes
+
+
+import os
+import sys
+import pytest
+
+from now_lms import log
+
+"""
+Casos de uso mas comunes.
+"""
+
+
+@pytest.fixture
+def lms_application():
+    from now_lms import app
+
+    app.config.update(
+        {
+            "TESTING": True,
+            "SECRET_KEY": "jgjañlsldaksjdklasjfkjj",
+            "SQLALCHEMY_TRACK_MODIFICATIONS": False,
+            "WTF_CSRF_ENABLED": False,
+            "DEBUG": True,
+            "PRESERVE_CONTEXT_ON_EXCEPTION": True,
+            "SQLALCHEMY_ECHO": True,
+            "SQLALCHEMY_DATABASE_URI": "sqlite://",
+        }
+    )
+
+    yield app
+
+
+def test_contraseña_incorrecta(lms_application, request):
+
+    if request.config.getoption("--slow") == "True":
+
+        from now_lms import database, initial_setup
+        from now_lms.auth import validar_acceso
+
+        with lms_application.app_context():
+            from flask_login import current_user
+            from flask_login.mixins import AnonymousUserMixin
+
+            database.drop_all()
+            initial_setup(with_tests=False, with_examples=False)
+
+            with lms_application.test_client() as client:
+                # Keep the session alive until the with clausule closes
+                client.post("/user/login", data={"usuario": "lms-admin", "acceso": "lms_admin"})
+                assert isinstance(current_user, AnonymousUserMixin)
+                assert validar_acceso("lms-admn", "lms-admin") is False