Use - as hash delimiter instead

app/app.py

@@ -234,7 +234,8 @@ def _hash_password(pw: str) -> str:
         salt = os.urandom(16)
         iterations = 200_000
         dk = hashlib.pbkdf2_hmac('sha256', pw.encode('utf-8'), salt, iterations)
-        return f"pbkdf2_sha256${iterations}${binascii.hexlify(salt).decode()}${binascii.hexlify(dk).decode()}"
+        # use - as the delimiter to avoid Docker env variable substitution
+        return f"pbkdf2_sha256-{iterations}-{binascii.hexlify(salt).decode()}-{binascii.hexlify(dk).decode()}"
     except Exception:
         return ""
 
@@ -243,7 +244,7 @@ def _verify_password(stored: str, pw: Optional[str]) -> bool:
     if not pw or not stored:
         return False
     try:
-        algo, iter_s, salt_hex, hash_hex = stored.split("$")
+        algo, iter_s, salt_hex, hash_hex = stored.split("-")
         if algo != 'pbkdf2_sha256':
             return False
         iterations = int(iter_s)

app/config.py

@@ -34,7 +34,8 @@ def _hash_password(pw: str) -> str:
         salt = os.urandom(16)
         iterations = 200_000
         dk = hashlib.pbkdf2_hmac('sha256', pw.encode('utf-8'), salt, iterations)
-        return f"pbkdf2_sha256${iterations}${binascii.hexlify(salt).decode()}${binascii.hexlify(dk).decode()}"
+        # use - as the delimiter to avoid Docker env variable substitution
+        return f"pbkdf2_sha256-{iterations}-{binascii.hexlify(salt).decode()}-{binascii.hexlify(dk).decode()}"
     except Exception:
         return ""
 
@@ -46,7 +47,7 @@ def load_settings() -> Settings:
     except Exception:
         pass
     admin_password = os.getenv("ADMIN_PASSWORD", "admin") # Default for convenience, should be changed
-    if not admin_password.startswith("pbkdf2_sha256$"):
+    if not admin_password.startswith("pbkdf2_sha256-"):
         print("="*60)
         print("WARNING: ADMIN_PASSWORD is in plaintext.")
         print("For better security, use the hashed password below in your .env file:")