tanner/image-drop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use - as hash delimiter instead

Browse Source
This commit is contained in:
Tanner Collin
2025-11-23 12:04:49 -07:00
parent c5b161487b
commit a5aa45759c
2 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
app/app.py
View File

@@ -234,7 +234,8 @@ def _hash_password(pw: str) -> str:
salt = os.urandom(16) salt = os.urandom(16)
iterations = 200_000 iterations = 200_000
dk = hashlib.pbkdf2_hmac('sha256', pw.encode('utf-8'), salt, iterations) dk = hashlib.pbkdf2_hmac('sha256', pw.encode('utf-8'), salt, iterations)
return f"pbkdf2_sha256${iterations}${binascii.hexlify(salt).decode()}${binascii.hexlify(dk).decode()}" # use - as the delimiter to avoid Docker env variable substitution
return f"pbkdf2_sha256-{iterations}-{binascii.hexlify(salt).decode()}-{binascii.hexlify(dk).decode()}"
except Exception: except Exception:
return "" return ""
@@ -243,7 +244,7 @@ def _verify_password(stored: str, pw: Optional[str]) -> bool:
if not pw or not stored: if not pw or not stored:
return False return False
try: try:
algo, iter_s, salt_hex, hash_hex = stored.split("$") algo, iter_s, salt_hex, hash_hex = stored.split("-")
if algo != 'pbkdf2_sha256': if algo != 'pbkdf2_sha256':
return False return False
iterations = int(iter_s) iterations = int(iter_s)
@@ -901,7 +902,7 @@ async def api_login(request: Request) -> JSONResponse:
stored_password = SETTINGS.admin_password stored_password = SETTINGS.admin_password
password_ok = False password_ok = False
if stored_password.startswith("pbkdf2_sha256$"): if stored_password.startswith("pbkdf2_sha256-"):
password_ok = _verify_password(stored_password, password) password_ok = _verify_password(stored_password, password)
else: else:
password_ok = (password == stored_password) password_ok = (password == stored_password)

5
app/config.py
View File

@@ -34,7 +34,8 @@ def _hash_password(pw: str) -> str:
salt = os.urandom(16) salt = os.urandom(16)
iterations = 200_000 iterations = 200_000
dk = hashlib.pbkdf2_hmac('sha256', pw.encode('utf-8'), salt, iterations) dk = hashlib.pbkdf2_hmac('sha256', pw.encode('utf-8'), salt, iterations)
return f"pbkdf2_sha256${iterations}${binascii.hexlify(salt).decode()}${binascii.hexlify(dk).decode()}" # use - as the delimiter to avoid Docker env variable substitution
return f"pbkdf2_sha256-{iterations}-{binascii.hexlify(salt).decode()}-{binascii.hexlify(dk).decode()}"
except Exception: except Exception:
return "" return ""
@@ -46,7 +47,7 @@ def load_settings() -> Settings:
except Exception: except Exception:
pass pass
admin_password = os.getenv("ADMIN_PASSWORD", "admin") # Default for convenience, should be changed admin_password = os.getenv("ADMIN_PASSWORD", "admin") # Default for convenience, should be changed
if not admin_password.startswith("pbkdf2_sha256$"): if not admin_password.startswith("pbkdf2_sha256-"):
print("="*60) print("="*60)
print("WARNING: ADMIN_PASSWORD is in plaintext.") print("WARNING: ADMIN_PASSWORD is in plaintext.")
print("For better security, use the hashed password below in your .env file:") print("For better security, use the hashed password below in your .env file:")