From a5aa45759c4dfd94ef848dc623bef4cc486bdc2e Mon Sep 17 00:00:00 2001
From: Tanner Collin <git@tannercollin.com>
Date: Sun, 23 Nov 2025 12:04:49 -0700
Subject: [PATCH] Use - as hash delimiter instead

---
 app/app.py    | 7 ++++---
 app/config.py | 5 +++--
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/app/app.py b/app/app.py
index d71dba4..31e26fc 100644
--- a/app/app.py
+++ b/app/app.py
@@ -234,7 +234,8 @@ def _hash_password(pw: str) -> str:
         salt = os.urandom(16)
         iterations = 200_000
         dk = hashlib.pbkdf2_hmac('sha256', pw.encode('utf-8'), salt, iterations)
-        return f"pbkdf2_sha256${iterations}${binascii.hexlify(salt).decode()}${binascii.hexlify(dk).decode()}"
+        # use - as the delimiter to avoid Docker env variable substitution
+        return f"pbkdf2_sha256-{iterations}-{binascii.hexlify(salt).decode()}-{binascii.hexlify(dk).decode()}"
     except Exception:
         return ""
 
@@ -243,7 +244,7 @@ def _verify_password(stored: str, pw: Optional[str]) -> bool:
     if not pw or not stored:
         return False
     try:
-        algo, iter_s, salt_hex, hash_hex = stored.split("$")
+        algo, iter_s, salt_hex, hash_hex = stored.split("-")
         if algo != 'pbkdf2_sha256':
             return False
         iterations = int(iter_s)
@@ -901,7 +902,7 @@ async def api_login(request: Request) -> JSONResponse:
 
     stored_password = SETTINGS.admin_password
     password_ok = False
-    if stored_password.startswith("pbkdf2_sha256$"):
+    if stored_password.startswith("pbkdf2_sha256-"):
         password_ok = _verify_password(stored_password, password)
     else:
         password_ok = (password == stored_password)
diff --git a/app/config.py b/app/config.py
index f2c13cc..5c1bc10 100644
--- a/app/config.py
+++ b/app/config.py
@@ -34,7 +34,8 @@ def _hash_password(pw: str) -> str:
         salt = os.urandom(16)
         iterations = 200_000
         dk = hashlib.pbkdf2_hmac('sha256', pw.encode('utf-8'), salt, iterations)
-        return f"pbkdf2_sha256${iterations}${binascii.hexlify(salt).decode()}${binascii.hexlify(dk).decode()}"
+        # use - as the delimiter to avoid Docker env variable substitution
+        return f"pbkdf2_sha256-{iterations}-{binascii.hexlify(salt).decode()}-{binascii.hexlify(dk).decode()}"
     except Exception:
         return ""
 
@@ -46,7 +47,7 @@ def load_settings() -> Settings:
     except Exception:
         pass
     admin_password = os.getenv("ADMIN_PASSWORD", "admin") # Default for convenience, should be changed
-    if not admin_password.startswith("pbkdf2_sha256$"):
+    if not admin_password.startswith("pbkdf2_sha256-"):
         print("="*60)
         print("WARNING: ADMIN_PASSWORD is in plaintext.")
         print("For better security, use the hashed password below in your .env file:")