Merge pull request #10 from TronoSfera/codex/fix-bcrypt-version-reading-error

Avoid bcrypt 72-byte errors by SHA-256 hashing long passwords
2026-05-18 10:03:32 +03:00 · 2026-01-19 11:54:17 +03:00 · 2026-01-19 11:54:17 +03:00 · dc228618c5
commit dc228618c5
parent d92aac0715 e87ffbd60d
1 changed files with 5 additions and 3 deletions
--- a/server/auth.py
+++ b/server/auth.py
@ -15,6 +15,7 @@ from __future__ import annotations

 import os
 import datetime
+import hashlib
 from typing import Optional

 from jose import JWTError, jwt
@ -45,16 +46,17 @@ except Exception:
 pwd_context = CryptContext(schemes=["bcrypt_sha256", "bcrypt"], deprecated="auto")


-def _normalize_bcrypt_password(password: str) -> str | bytes:
+def _normalize_bcrypt_password(password: str) -> str:
    """Normalize passwords to avoid bcrypt's 72-byte length limit.

    Some bcrypt backends raise a ValueError for passwords longer than 72 bytes.
-    Truncate to 72 bytes to match typical bcrypt behavior instead of crashing.
+    Instead of truncating, hash the original bytes with SHA-256 to preserve
+    entropy while ensuring the input length stays within bcrypt limits.
    """
    encoded = password.encode("utf-8")
    if len(encoded) <= 72:
        return password
-    return encoded[:72]
+    return hashlib.sha256(encoded).hexdigest()

 oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/login", auto_error=False)