From 6e2ede50dc5e868aacd54ee803777bd0c5a20536 Mon Sep 17 00:00:00 2001
From: Tanner Collin <git@tannercollin.com>
Date: Sun, 23 Nov 2025 12:04:49 -0700
Subject: [PATCH] Use - as hash delimiter instead

---
 app/app.py    | 5 +++--
 app/config.py | 3 ++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/app/app.py b/app/app.py
index d71dba4..7d5b004 100644
--- a/app/app.py
+++ b/app/app.py
@@ -234,7 +234,8 @@ def _hash_password(pw: str) -> str:
         salt = os.urandom(16)
         iterations = 200_000
         dk = hashlib.pbkdf2_hmac('sha256', pw.encode('utf-8'), salt, iterations)
-        return f"pbkdf2_sha256${iterations}${binascii.hexlify(salt).decode()}${binascii.hexlify(dk).decode()}"
+        # use - as the delimiter to avoid Docker env variable substitution
+        return f"pbkdf2_sha256-{iterations}-{binascii.hexlify(salt).decode()}-{binascii.hexlify(dk).decode()}"
     except Exception:
         return ""
 
@@ -243,7 +244,7 @@ def _verify_password(stored: str, pw: Optional[str]) -> bool:
     if not pw or not stored:
         return False
     try:
-        algo, iter_s, salt_hex, hash_hex = stored.split("$")
+        algo, iter_s, salt_hex, hash_hex = stored.split("-")
         if algo != 'pbkdf2_sha256':
             return False
         iterations = int(iter_s)
diff --git a/app/config.py b/app/config.py
index f2c13cc..397af94 100644
--- a/app/config.py
+++ b/app/config.py
@@ -34,7 +34,8 @@ def _hash_password(pw: str) -> str:
         salt = os.urandom(16)
         iterations = 200_000
         dk = hashlib.pbkdf2_hmac('sha256', pw.encode('utf-8'), salt, iterations)
-        return f"pbkdf2_sha256${iterations}${binascii.hexlify(salt).decode()}${binascii.hexlify(dk).decode()}"
+        # use - as the delimiter to avoid Docker env variable substitution
+        return f"pbkdf2_sha256-{iterations}-{binascii.hexlify(salt).decode()}-{binascii.hexlify(dk).decode()}"
     except Exception:
         return ""