Vulnerability audit for 0.7.0 & Removal of passlib as dependency (#185)

.gitignore

@@ -21,6 +21,7 @@ rosalution-annotation-log.txt*
 *.graphql
 
 **/node_modules/**
+**/.vite/**
 
 # e2e run captures
 /system-tests/cypress/downloads

CHANGELOG.md

@@ -1,11 +1,17 @@
 <!-- markdownlint-disable-file MD024 -->
 # Changelog
 
-## 0.7.0 - latest
+## 0.7.0
 
 ### Features
 
-### Bug Fixes
+- Support for attaching documents, URLs, and Images to fields on an Analysis landing page.
+- HTTPs by default for deployments
+- Versioning for Annotations as dictated by configuration
+- Analyses have a version manifest of annotation's dataset, source, and version
+- Render's annotations for an analysis according to it's version manifest
+- Timestamped discussions for analyses to which allow users to create, update, and remove text-based
+  messages to each other within an analysis.
 
 ## 0.6.0
 

backend/requirements.txt

@@ -7,7 +7,7 @@ jq==1.6.0
 
 python-multipart==0.0.7
 PyJWT[crypto]==2.8.0
-passlib[bcrypt]==1.7.4
+bcrypt==4.2.0
 
 # dev
 pytest-cov==4.0.0

backend/src/security/security.py

@@ -14,15 +14,12 @@
 from fastapi import Depends, HTTPException, Response, status
 from fastapi.security import SecurityScopes
 
-from passlib.context import CryptContext
+import bcrypt
 
 from ..dependencies import oauth2_scheme
 
-# from ..models.token import TokenData
 from ..config import Settings, get_settings
 
-pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
-
 SECURITY_SCOPES = {
     "pre-clinical-intake": "Pre-Clinical Intake",
     "bioinformatics-section-user": "Bioinformatics Section User",
@@ -56,12 +53,17 @@ def create_access_token(
 
 def get_password_hash(password):
     """Takes the plain password and makes a hash from it using CryptContext"""
-    return pwd_context.hash(password)
+    pwd_bytes = password.encode('utf-8')
+    salt = bcrypt.gensalt()
+    hashed_password = bcrypt.hashpw(password=pwd_bytes, salt=salt)
+    return hashed_password
 
 
 def verify_password(plain_password, hashed_password):
     """This will use the CryptContext to hash the plain password and check against the stored pass hash to verify"""
-    return pwd_context.verify(plain_password, hashed_password)
+    password_byte_encoded = plain_password.encode('utf-8')
+    hashed_password = hashed_password.encode('utf-8')
+    return bcrypt.checkpw(password=password_byte_encoded, hashed_password=hashed_password)
 
 
 def authenticate_password(user: Optional[dict], password: str):

frontend/package.json

@@ -25,16 +25,16 @@
     "vue-router": "4.2.5"
   },
   "devDependencies": {
-    "@vitejs/plugin-vue": "5.0.5",
-    "@vitest/coverage-v8": "1.6.0",
-    "@vitest/ui": "1.6.0",
+    "@vitejs/plugin-vue": "5.1.4",
+    "@vitest/coverage-v8": "2.1.1",
+    "@vitest/ui": "2.1.1",
     "@vue/test-utils": "2.4.1",
     "eslint": "8.50.0",
     "eslint-config-google": "0.14.0",
     "eslint-plugin-vue": "9.17.0",
     "happy-dom": "14.12.3",
-    "sinon": "16.0.0",
-    "vite": "5.3.2",
-    "vitest": "1.6.0"
+    "sinon": "19.0.2",
+    "vite": "5.4.8",
+    "vitest": "2.1.1"
   }
 }

frontend/vite.config.js

@@ -16,6 +16,9 @@ export default defineConfig({
       functions: 80,
       branches: 80,
     },
+    sequence: {
+      hooks: 'parallel',
+    },
   },
   resolve: {
     alias: {