Source code on github and pypi differs
mahenzon opened this issue · 1 comments
mahenzon commented
I noticed that Flask-Bcrypt==0.7.1 installed from pypi is not the same found in this repo (no matter it's 0.7.1 too https://github.com/maxcountryman/flask-bcrypt/blob/13df85ab1b4d7602a967c7ec1c6707c8cda459c6/flask_bcrypt.py)
here's comparison pypi vs repo (repo is newer)
4,6c4,6
<
< A Flask extension providing bcrypt hasing and comparison facilities.
<
---
>
> A Flask extension providing bcrypt hashing and comparison facilities.
>
28a29,30
> import hashlib
>
40,41c42,44
< To this this function, simple import it from the module and use it in a
< similar fashion as the method would be used. Here is a quick example::
---
> To use this function, simply import it from the module and use it in a
> similar fashion as the original method would be used. Here is a quick
> example::
43c46
< from flask.ext.bcrypt import generate_password_hash
---
> from flask_bcrypt import generate_password_hash
57,61c60,65
<
< To this this function, simple import it from the module and use it in a
< similar fashion as the method would be used. Here is a quick example::
<
< from flask.ext.bcrypt import check_password_hash
---
>
> To use this function, simply import it from the module and use it in a
> similar fashion as the original method would be used. Here is a quick
> example::
>
> from flask_bcrypt import check_password_hash
63c67
<
---
>
119c123,138
<
---
>
> You may also set the hash version using the `BCRYPT_HASH_PREFIX` field in
> the configuration of the Flask app. If not set, this will default to `2b`.
> (See bcrypt for more details)
>
> By default, the bcrypt algorithm has a maximum password length of 72 bytes
> and ignores any bytes beyond that. A common workaround is to hash the
> given password using a cryptographic hash (such as `sha256`), take its
> hexdigest to prevent NULL byte problems, and hash the result with bcrypt.
> If the `BCRYPT_HANDLE_LONG_PASSWORDS` configuration value is set to `True`,
> the workaround described above will be enabled.
> **Warning: do not enable this option on a project that is already using
> Flask-Bcrypt, or you will break password checking.**
> **Warning: if this option is enabled on an existing project, disabling it
> will break password checking.**
>
123a143,144
> _prefix = '2b'
> _handle_long_passwords = False
135,139c156,181
<
< def generate_password_hash(self, password, rounds=None):
< '''Generates a password hash using bcrypt. Specifying `rounds`
< sets the log_rounds parameter of `bcrypt.gensalt()` which determines
< the complexity of the salt. 12 is the default value.
---
> self._prefix = app.config.get('BCRYPT_HASH_PREFIX', '2b')
> self._handle_long_passwords = app.config.get(
> 'BCRYPT_HANDLE_LONG_PASSWORDS', False)
>
> def _unicode_to_bytes(self, unicode_string):
> '''Converts a unicode string to a bytes object.
>
> :param unicode_string: The unicode string to convert.'''
> if PY3:
> if isinstance(unicode_string, str):
> bytes_object = bytes(unicode_string, 'utf-8')
> else:
> bytes_object = unicode_string
> else:
> if isinstance(unicode_string, unicode):
> bytes_object = unicode_string.encode('utf-8')
> else:
> bytes_object = unicode_string
> return bytes_object
>
> def generate_password_hash(self, password, rounds=None, prefix=None):
> '''Generates a password hash using bcrypt. Specifying `rounds`
> sets the log_rounds parameter of `bcrypt.gensalt()` which determines
> the complexity of the salt. 12 is the default value. Specifying `prefix`
> sets the `prefix` parameter of `bcrypt.gensalt()` which determines the
> version of the algorithm used to create the hash.
147a190
> :param prefix: The algorithm version to use.
154a198,199
> if prefix is None:
> prefix = self._prefix
157,158c202,203
< if PY3 and isinstance(password, str):
< password = bytes(password, 'utf-8')
---
> password = self._unicode_to_bytes(password)
> prefix = self._unicode_to_bytes(prefix)
160,161c205,207
< if not PY3 and isinstance(password, unicode):
< password = password.encode('utf-8')
---
> if self._handle_long_passwords:
> password = hashlib.sha256(password).hexdigest()
> password = self._unicode_to_bytes(password)
163c209,210
< return bcrypt.hashpw(password, bcrypt.gensalt(rounds))
---
> salt = bcrypt.gensalt(rounds=rounds, prefix=prefix)
> return bcrypt.hashpw(password, salt)
181,182c228,229
< if PY3 and isinstance(pw_hash, str):
< pw_hash = bytes(pw_hash, 'utf-8')
---
> pw_hash = self._unicode_to_bytes(pw_hash)
> password = self._unicode_to_bytes(password)
184,185c231,233
< if PY3 and isinstance(password, str):
< password = bytes(password, 'utf-8')
---
> if self._handle_long_passwords:
> password = hashlib.sha256(password).hexdigest()
> password = self._unicode_to_bytes(password)
187,192d234
< if not PY3 and isinstance(pw_hash, unicode):
< pw_hash = pw_hash.encode('utf-8')
<
< if not PY3 and isinstance(password, unicode):
< password = password.encode('utf-8')
<
194d235
< pypi was updated a long time ago and lacks such features as long_passwords and etc
bcrypt==3.2.0
Flask-Bcrypt==0.7.1