Replace passlib with direct bcrypt usage

nikolay-e · nikolay-e · commit 5e5257c830f8 · 2026-03-07T12:10:31.000+01:00
diff --git a/pyproject.toml b/pyproject.toml
@@ -60,7 +60,6 @@ dependencies = [
     "Flask>=3.1.1",
     "Flask-Login>=0.6.3",
     "cryptography>=45.0.5",
-    "passlib>=1.7.4",
     "bcrypt>=4.0.0",
     "flask-wtf>=1.2.1",
     "flask-limiter>=3.8.0",
diff --git a/src/security.py b/src/security.py
@@ -2,32 +2,36 @@
 from base64 import b64decode, b64encode
 from typing import cast
 
+import bcrypt
 from cryptography.fernet import Fernet
 from dotenv import load_dotenv
-from passlib.context import CryptContext
 
 from logging_config import get_logger
 
 load_dotenv()
 
 logger = get_logger(__name__)
 
-# --- Password Hashing ---
-pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
-
 
 def verify_password(plain_password: str, hashed_password: str) -> bool:
-    """Verify a plain password against its hash."""
     try:
-        return bool(pwd_context.verify(plain_password, hashed_password))
+        return bool(
+            bcrypt.checkpw(
+                plain_password.encode("utf-8")[:72],
+                hashed_password.encode("utf-8"),
+            )
+        )
     except Exception as e:
         logger.error("password_verification_error", error=str(e))
         return False
 
 
 def get_password_hash(password: str) -> str:
-    """Generate password hash."""
-    return str(pwd_context.hash(password))
+    hashed: bytes = bcrypt.hashpw(
+        password.encode("utf-8")[:72],
+        bcrypt.gensalt(),
+    )
+    return hashed.decode("utf-8")
 
 
 # --- Per-User Credential Encryption ---
