tanner/image-drop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use - as hash delimiter instead

Browse Source
This commit is contained in:
Tanner Collin
2025-11-23 12:04:49 -07:00
parent c5b161487b
commit a5aa45759c
2 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
app/app.py
View File

@@ -234,7 +234,8 @@ def _hash_password(pw: str) -> str:
salt = os.urandom(16)
iterations = 200_000
dk = hashlib.pbkdf2_hmac('sha256', pw.encode('utf-8'), salt, iterations)
return f"pbkdf2_sha256${iterations}${binascii.hexlify(salt).decode()}${binascii.hexlify(dk).decode()}"
# use - as the delimiter to avoid Docker env variable substitution
return f"pbkdf2_sha256-{iterations}-{binascii.hexlify(salt).decode()}-{binascii.hexlify(dk).decode()}"
except Exception:
return ""
@@ -243,7 +244,7 @@ def _verify_password(stored: str, pw: Optional[str]) -> bool:
if not pw or not stored:
return False
try:
algo, iter_s, salt_hex, hash_hex = stored.split("$")
algo, iter_s, salt_hex, hash_hex = stored.split("-")
if algo != 'pbkdf2_sha256':
return False
iterations = int(iter_s)
@@ -901,7 +902,7 @@ async def api_login(request: Request) -> JSONResponse:
stored_password = SETTINGS.admin_password
password_ok = False
if stored_password.startswith("pbkdf2_sha256$"):
if stored_password.startswith("pbkdf2_sha256-"):
password_ok = _verify_password(stored_password, password)
else:
password_ok = (password == stored_password)

5
app/config.py
View File

@@ -34,7 +34,8 @@ def _hash_password(pw: str) -> str:
salt = os.urandom(16)
iterations = 200_000
dk = hashlib.pbkdf2_hmac('sha256', pw.encode('utf-8'), salt, iterations)
return f"pbkdf2_sha256${iterations}${binascii.hexlify(salt).decode()}${binascii.hexlify(dk).decode()}"
# use - as the delimiter to avoid Docker env variable substitution
return f"pbkdf2_sha256-{iterations}-{binascii.hexlify(salt).decode()}-{binascii.hexlify(dk).decode()}"
except Exception:
return ""
@@ -46,7 +47,7 @@ def load_settings() -> Settings:
except Exception:
pass
admin_password = os.getenv("ADMIN_PASSWORD", "admin") # Default for convenience, should be changed
if not admin_password.startswith("pbkdf2_sha256$"):
if not admin_password.startswith("pbkdf2_sha256-"):
print("="*60)
print("WARNING: ADMIN_PASSWORD is in plaintext.")
print("For better security, use the hashed password below in your .env file:")