Skip to content

feat: Make password hashing parameters configurable #2332

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dpgaspar merged 3 commits into from
Apr 17, 2025
Merged

feat: Make password hashing parameters configurable #2332

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9e3564e
Make password hashing parameters configurable
denis-ismailaj Apr 9, 2025
78161de
black linting fixes
denis-ismailaj Apr 9, 2025
ddbd54f
Merge branch 'master' into configurable-pass-hashing
dpgaspar Apr 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion bin/hash_db_password.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,11 @@

for user in users:
log.info("Hashing password for {0}".format(user.username))
user.password = generate_password_hash(user.password)
user.password = generate_password_hash(
password=user.password,
method=app.config.get('FAB_PASSWORD_HASH_METHOD', 'scrypt'),
salt_length=app.config.get('FAB_PASSWORD_HASH_SALT_LENGTH', 16),
)
try:
db.session.merge(user)
db.session.commit()
Expand Down
10 changes: 10 additions & 0 deletions docs/config.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -325,6 +325,16 @@ Use config.py to configure the following parameters. By default it will use SQLL
| | validation for AUTH database users. | No |
| | Default is False. | |
+----------------------------------------+--------------------------------------------+-----------+
| FAB_PASSWORD_HASH_METHOD | Sets the password hashing method. For the | |
| | supported parameters see | |
| | `generate_password_hash`_. | No |
| | Default: ``'scrypt'``. | |
+----------------------------------------+--------------------------------------------+-----------+
| FAB_PASSWORD_HASH_SALT_LENGTH | Sets the password hashing salt length. | No |
| | Default: ``16``. | |
+----------------------------------------+--------------------------------------------+-----------+

.. _generate_password_hash: https://werkzeug.palletsprojects.com/en/stable/utils/#werkzeug.security.generate_password_hash

Note
----
Expand Down
10 changes: 9 additions & 1 deletion flask_appbuilder/security/manager.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -950,7 +950,15 @@ def reset_password(self, userid, password):
The clear text password to reset and save hashed on the db
"""
user = self.get_user_by_id(userid)
user.password = generate_password_hash(password)
user.password = generate_password_hash(
password=password,
method=self.appbuilder.get_app.config.get(
"FAB_PASSWORD_HASH_METHOD", "scrypt"
),
salt_length=self.appbuilder.get_app.config.get(
"FAB_PASSWORD_HASH_SALT_LENGTH", 16
),
)
self.update_user(user)

def update_user_auth_stat(self, user, success=True):
Expand Down
20 changes: 18 additions & 2 deletions flask_appbuilder/security/mongoengine/manager.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,15 @@
if hashed_password:
register_user.password = hashed_password
else:
register_user.password = generate_password_hash(password)
register_user.password = generate_password_hash(

Check warning on line 97 in flask_appbuilder/security/mongoengine/manager.py

View check run for this annotation

Codecov / codecov/patch

flask_appbuilder/security/mongoengine/manager.py#L97 

Added line #L97 was not covered by tests
password=password,
method=self.appbuilder.get_app.config.get(
"FAB_PASSWORD_HASH_METHOD", "scrypt"
),
salt_length=self.appbuilder.get_app.config.get(
"FAB_PASSWORD_HASH_SALT_LENGTH", 16
),
)
register_user.registration_hash = str(uuid.uuid1())
register_user.save()
return register_user
Expand Down Expand Up @@ -141,7 +149,15 @@
if hashed_password:
user.password = hashed_password
else:
user.password = generate_password_hash(password)
user.password = generate_password_hash(

Check warning on line 152 in flask_appbuilder/security/mongoengine/manager.py

View check run for this annotation

Codecov / codecov/patch

flask_appbuilder/security/mongoengine/manager.py#L152 

Added line #L152 was not covered by tests
password=password,
method=self.appbuilder.get_app.config.get(
"FAB_PASSWORD_HASH_METHOD", "scrypt"
),
salt_length=self.appbuilder.get_app.config.get(
"FAB_PASSWORD_HASH_SALT_LENGTH", 16
),
)
user.save()
log.info(c.LOGMSG_INF_SEC_ADD_USER, username)
return user
Expand Down
20 changes: 18 additions & 2 deletions flask_appbuilder/security/sqla/apis/user/api.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,10 +69,26 @@ def pre_update(self, item):
item.changed_on = datetime.now()
item.changed_by_fk = g.user.id
if item.password:
item.password = generate_password_hash(item.password)
item.password = generate_password_hash(
password=item.password,
method=self.appbuilder.get_app.config.get(
"FAB_PASSWORD_HASH_METHOD", "scrypt"
),
salt_length=self.appbuilder.get_app.config.get(
"FAB_PASSWORD_HASH_SALT_LENGTH", 16
),
)

def pre_add(self, item):
item.password = generate_password_hash(item.password)
item.password = generate_password_hash(
password=item.password,
method=self.appbuilder.get_app.config.get(
"FAB_PASSWORD_HASH_METHOD", "scrypt"
),
salt_length=self.appbuilder.get_app.config.get(
"FAB_PASSWORD_HASH_SALT_LENGTH", 16
),
)

@expose("/", methods=["POST"])
@protect()
Expand Down
20 changes: 18 additions & 2 deletions flask_appbuilder/security/sqla/manager.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,15 @@
if hashed_password:
register_user.password = hashed_password
else:
register_user.password = generate_password_hash(password)
register_user.password = generate_password_hash(

Check warning on line 144 in flask_appbuilder/security/sqla/manager.py

View check run for this annotation

Codecov / codecov/patch

flask_appbuilder/security/sqla/manager.py#L144 

Added line #L144 was not covered by tests
password=password,
method=self.appbuilder.get_app.config.get(
"FAB_PASSWORD_HASH_METHOD", "scrypt"
),
salt_length=self.appbuilder.get_app.config.get(
"FAB_PASSWORD_HASH_SALT_LENGTH", 16
),
)
register_user.registration_hash = str(uuid.uuid1())
try:
self.get_session.add(register_user)
Expand Down Expand Up @@ -234,7 +242,15 @@
if hashed_password:
user.password = hashed_password
else:
user.password = generate_password_hash(password)
user.password = generate_password_hash(
password=password,
method=self.appbuilder.get_app.config.get(
"FAB_PASSWORD_HASH_METHOD", "scrypt"
),
salt_length=self.appbuilder.get_app.config.get(
"FAB_PASSWORD_HASH_SALT_LENGTH", 16
),
)
self.get_session.add(user)
self.get_session.commit()
log.info(c.LOGMSG_INF_SEC_ADD_USER, username)
Expand Down
10 changes: 9 additions & 1 deletion flask_appbuilder/security/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -446,7 +446,15 @@ def pre_update(self, item: Any) -> None:
item.changed_by_fk = g.user.id

def pre_add(self, item: Any) -> None:
item.password = generate_password_hash(item.password)
item.password = generate_password_hash(
password=item.password,
method=self.appbuilder.get_app.config.get(
"FAB_PASSWORD_HASH_METHOD", "scrypt"
),
salt_length=self.appbuilder.get_app.config.get(
"FAB_PASSWORD_HASH_SALT_LENGTH", 16
),
)


class UserStatsChartView(DirectByChartView):
Expand Down
10 changes: 9 additions & 1 deletion tests/test_security_api.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,15 @@ def _create_test_user(
user.username = username
user.email = email
user.roles = roles
user.password = generate_password_hash(password)
user.password = generate_password_hash(
password=password,
method=self.appbuilder.get_app.config.get(
"FAB_PASSWORD_HASH_METHOD", "scrypt"
),
salt_length=self.appbuilder.get_app.config.get(
"FAB_PASSWORD_HASH_SALT_LENGTH", 16
),
)
self.session.commit()
return user

Expand Down