Fix password hashing compatibility

App/routers/admin/routes.py

@@ -2,7 +2,6 @@ from datetime import date
 from typing import Optional
 
 from fastapi import APIRouter, BackgroundTasks, Depends
-from passlib.hash import bcrypt
 from pydantic import BaseModel
 
 from App.routers.admin.models import (
@@ -16,7 +15,7 @@ from App.routers.funds.models import FundFAQ, FundInfo, MutualFund
 from App.routers.funds.runner import run_import
 from App.routers.stocks.models import CorporateAction, Stock
 from App.routers.users.models import User
-from App.routers.users.utils import get_current_user
+from App.routers.users.utils import get_current_user, hash_password
 from App.schemas import AppException, ResponseModel
 
 router = APIRouter(prefix="/admin", tags=["Admin"])
@@ -250,7 +249,7 @@ async def temporary_password(user_id: str, payload: PasswordResetPayload, admin:
     user = await User.get_or_none(id=user_id)
     if not user:
         raise AppException(status_code=404, message="User not found")
-    user.hashed_password = bcrypt.hash(payload.temporary_password)
+    user.hashed_password = hash_password(payload.temporary_password)
     user.must_change_password = payload.must_change_password
     await user.save()
     await audit(admin, "temporary_password_reset", "user", user_id)

App/routers/admin/seed.py

@@ -1,6 +1,5 @@
-from passlib.hash import bcrypt
-
 from App.routers.users.models import User
+from App.routers.users.utils import hash_password
 
 DEFAULT_ADMIN_EMAIL = "MboneaMjema@gmail.com"
 DEFAULT_ADMIN_PASSWORD = "123456789"
@@ -12,7 +11,7 @@ async def ensure_default_admin() -> User:
         user = await User.create(
             username="admin",
             email=DEFAULT_ADMIN_EMAIL,
-            hashed_password=bcrypt.hash(DEFAULT_ADMIN_PASSWORD),
+            hashed_password=hash_password(DEFAULT_ADMIN_PASSWORD),
             is_admin=True,
             is_active=True,
             must_change_password=True,

App/routers/users/routes.py

@@ -6,7 +6,6 @@ from datetime import datetime, timedelta, timezone
 
 from fastapi import APIRouter, Depends
 import httpx
-from passlib.hash import bcrypt
 
 from App.schemas import ResponseModel, AppException
 from .models import User, Watchlist, PasswordResetCode
@@ -29,6 +28,8 @@ from .utils import (
     build_totp_uri,
     generate_totp_secret,
     get_current_user,
+    hash_password,
+    verify_password,
     verify_totp_code,
     SECRET_KEY,
     ALGORITHM,
@@ -95,7 +96,7 @@ async def register(payload: UserCreate):
     user = await User.create(
         username=payload.username,
         email=payload.email,
-        hashed_password=bcrypt.hash(payload.password),
+        hashed_password=hash_password(payload.password),
     )
 
     await Portfolio.create(user=user, name="Default Portfolio")
@@ -115,7 +116,7 @@ async def register(payload: UserCreate):
 async def login(payload: UserLogin):
     user = await User.get_or_none(email=payload.email)
 
-    if not user or not bcrypt.verify(payload.password, user.hashed_password):
+    if not user or not verify_password(payload.password, user.hashed_password):
         raise AppException(status_code=400, message="Invalid email or password")
     if not user.is_active:
         raise AppException(status_code=403, message="User account is disabled")
@@ -196,7 +197,7 @@ async def request_password_reset(payload: ForgotPasswordRequest):
     expires_at = datetime.now(timezone.utc) + timedelta(minutes=PASSWORD_RESET_CODE_EXPIRE_MINUTES)
     await PasswordResetCode.create(
         user=user,
-        code_hash=bcrypt.hash(code),
+        code_hash=hash_password(code),
         expires_at=expires_at,
     )
 
@@ -224,14 +225,14 @@ async def reset_password(payload: ResetPasswordRequest):
         expires_at = reset_code.expires_at
         if expires_at.tzinfo is None:
             expires_at = expires_at.replace(tzinfo=timezone.utc)
-        if expires_at >= now and bcrypt.verify(code, reset_code.code_hash):
+        if expires_at >= now and verify_password(code, reset_code.code_hash):
             matching_code = reset_code
             break
 
     if not matching_code:
         raise AppException(status_code=400, message="Invalid or expired reset code")
 
-    user.hashed_password = bcrypt.hash(payload.new_password)
+    user.hashed_password = hash_password(payload.new_password)
     matching_code.used_at = now
     await user.save()
     await matching_code.save()

App/routers/users/utils.py

@@ -10,6 +10,7 @@ from fastapi import Depends
 from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
 from App.schemas import AppException
 from .models import User
+from passlib.hash import bcrypt, bcrypt_sha256
 
 SECRET_KEY = os.getenv("SECRET_KEY", "dev-secret-key-change-in-production")
 ALGORITHM = "HS256"
@@ -18,6 +19,20 @@ APP_ISSUER = os.getenv("APP_ISSUER", "Uwekezaji")
 _security = HTTPBearer()
 
 
+def hash_password(password: str) -> str:
+    """Hash passwords without bcrypt's 72-byte input limit."""
+    return bcrypt_sha256.hash(password)
+
+
+def verify_password(password: str, password_hash: str) -> bool:
+    """Verify both new bcrypt-sha256 hashes and legacy bcrypt hashes."""
+    if not password_hash:
+        return False
+    if password_hash.startswith("$bcrypt-sha256$"):
+        return bcrypt_sha256.verify(password, password_hash)
+    return bcrypt.verify(password[:72], password_hash)
+
+
 async def get_current_user(
     credentials: HTTPAuthorizationCredentials = Depends(_security),
 ) -> User:

requirements.txt

@@ -27,6 +27,6 @@ typing_extensions==4.12.2
 #
 httpx
 bs4
-passlib
+passlib==1.7.4
 PyJWT
-bcrypt
+bcrypt==4.0.1