fix: default hash method for Werkzeug < 3.0.0

potiuk · potiuk · commit 8282a1888e25 · 2025-06-17T23:00:38.000+02:00
Follow up after dpgaspar#2306. Later configuration was added in dpgaspar#2332 that added default configuration for hash method and also there scrypt was set as default, however Werkzeug < 3.0.0 does not support it. This PR retrieves the default method properly, depending on installed Werkzeug version.
diff --git a/bin/hash_db_password.py b/bin/hash_db_password.py
@@ -4,7 +4,7 @@
 from werkzeug.security import generate_password_hash
 
 from flask_appbuilder.security.sqla.models import User
-
+from flask_appbuilder.security.utils import get_default_hash_method
 
 try:
     from app import app, db
@@ -36,11 +36,13 @@
     log.error("Config db key {}".format(app.config['SQLALCHEMY_DATABASE_URI']))
     exit()
 
+
 for user in users:
     log.info("Hashing password for {0}".format(user.username))
+
     user.password = generate_password_hash(
         password=user.password,
-        method=app.config.get('FAB_PASSWORD_HASH_METHOD', 'scrypt'),
+        method=get_default_hash_method(app),
         salt_length=app.config.get('FAB_PASSWORD_HASH_SALT_LENGTH', 16),
     )
     try:
@@ -49,5 +51,5 @@
     except Exception as e:
         db.session.rollback()
         log.error("Error updating password for {0}: {1}".format(user.full_name, str(e)))
-        
+
 
diff --git a/flask_appbuilder/_compat.py b/flask_appbuilder/_compat.py
@@ -1,11 +1,11 @@
 # -*- coding: utf-8 -*-
 """
-    Some py2/py3 compatibility support based on a stripped down
-    version of six so we don't have to depend on a specific version
-    of it.
+Some py2/py3 compatibility support based on a stripped down
+version of six so we don't have to depend on a specific version
+of it.
 
-    :copyright: (c) 2013 by Armin Ronacher.
-    :license: BSD, see LICENSE for more details.
+:copyright: (c) 2013 by Armin Ronacher.
+:license: BSD, see LICENSE for more details.
 """
 import sys
 
diff --git a/flask_appbuilder/api/__init__.py b/flask_appbuilder/api/__init__.py
@@ -119,7 +119,7 @@ def wraps(self: "BaseApi", *args: Any, **kwargs: Any) -> Response:
 
 
 def rison(
-    schema: Optional[Dict[str, Any]] = None
+    schema: Optional[Dict[str, Any]] = None,
 ) -> Callable[[Callable[..., Any]], Callable[..., Any]]:
     """
     Use this decorator to parse URI *Rison* arguments to
diff --git a/flask_appbuilder/console.py b/flask_appbuilder/console.py
@@ -1,10 +1,11 @@
 """
-    Console utility to help manage F.A.B's apps
+Console utility to help manage F.A.B's apps
 
-    use:
+use:
 
-    $ fabmanager --help
+$ fabmanager --help
 """
+
 from io import BytesIO
 import os
 import shutil
diff --git a/flask_appbuilder/security/manager.py b/flask_appbuilder/security/manager.py
@@ -22,6 +22,7 @@
     RegisterUserOAuthView,
     RegisterUserOIDView,
 )
+from .utils import get_default_hash_method
 from .views import (
     AuthDBView,
     AuthLDAPView,
@@ -238,13 +239,16 @@ def __init__(self, appbuilder):
 
         # Werkzeug prior to 3.0.0 does not support scrypt
         parsed_werkzeug_version = Version(importlib.metadata.version("werkzeug"))
+
         if parsed_werkzeug_version < Version("3.0.0"):
+            app.config.setdefault("FAB_PASSWORD_HASH_METHOD", "pbkdf2:sha256")
             app.config.setdefault(
                 "AUTH_DB_FAKE_PASSWORD_HASH_CHECK",
                 "pbkdf2:sha256:150000$Z3t6fmj2$22da622d94a1f8118"
                 "c0976a03d2f18f680bfff877c9a965db9eedc51bc0be87c",
             )
         else:
+            app.config.setdefault("FAB_PASSWORD_HASH_METHOD", "pbkdf2:sha256")
             app.config.setdefault(
                 "AUTH_DB_FAKE_PASSWORD_HASH_CHECK",
                 "scrypt:32768:8:1$wiDa0ruWlIPhp9LM$6e40"
@@ -952,9 +956,7 @@ def reset_password(self, userid, password):
         user = self.get_user_by_id(userid)
         user.password = generate_password_hash(
             password=password,
-            method=self.appbuilder.get_app.config.get(
-                "FAB_PASSWORD_HASH_METHOD", "scrypt"
-            ),
+            method=get_default_hash_method(),
             salt_length=self.appbuilder.get_app.config.get(
                 "FAB_PASSWORD_HASH_SALT_LENGTH", 16
             ),
diff --git a/flask_appbuilder/security/sqla/apis/user/api.py b/flask_appbuilder/security/sqla/apis/user/api.py
@@ -11,6 +11,7 @@
     UserPutSchema,
 )
 from flask_appbuilder.security.sqla.models import Group, Role, User
+from flask_appbuilder.security.utils import get_default_hash_method
 from marshmallow import ValidationError
 from sqlalchemy.exc import IntegrityError
 from werkzeug.security import generate_password_hash
@@ -74,9 +75,7 @@ def pre_update(self, item, data):
         if "password" in data and data["password"]:
             item.password = generate_password_hash(
                 password=data["password"],
-                method=self.appbuilder.get_app.config.get(
-                    "FAB_PASSWORD_HASH_METHOD", "scrypt"
-                ),
+                method=get_default_hash_method(self.appbuilder.get_app),
                 salt_length=self.appbuilder.get_app.config.get(
                     "FAB_PASSWORD_HASH_SALT_LENGTH", 16
                 ),
diff --git a/flask_appbuilder/security/utils.py b/flask_appbuilder/security/utils.py
@@ -1,9 +1,23 @@
+import importlib
 from random import SystemRandom
 import string
 
+from packaging.version import Version
+
 LETTERS_AND_DIGITS = string.ascii_letters + string.digits
 
 
 def generate_random_string(length=30):
     rand = SystemRandom()
     return "".join(rand.choice(LETTERS_AND_DIGITS) for _ in range(length))
+
+
+def get_default_hash_method(app):
+    """
+    Returns the default password hash method based on the Werkzeug version.
+    """
+    parsed_werkzeug_version = Version(importlib.metadata.version("werkzeug"))
+    if parsed_werkzeug_version < Version("3.0.0"):
+        return app.config.get("FAB_PASSWORD_HASH_METHOD", "pbkdf2:sha256")
+    else:
+        return app.config.get("FAB_PASSWORD_HASH_METHOD", "scrypt")
diff --git a/flask_appbuilder/security/views.py b/flask_appbuilder/security/views.py
@@ -22,7 +22,10 @@
     roles_or_groups_required,
     UserInfoEdit,
 )
-from flask_appbuilder.security.utils import generate_random_string
+from flask_appbuilder.security.utils import (
+    generate_random_string,
+    get_default_hash_method,
+)
 from flask_appbuilder.utils.base import get_safe_redirect, lazy_formatter_gettext
 from flask_appbuilder.validators import PasswordComplexityValidator
 from flask_appbuilder.views import expose, ModelView, SimpleFormView
@@ -448,9 +451,7 @@ def pre_update(self, item: Any) -> None:
     def pre_add(self, item: Any) -> None:
         item.password = generate_password_hash(
             password=item.password,
-            method=self.appbuilder.get_app.config.get(
-                "FAB_PASSWORD_HASH_METHOD", "scrypt"
-            ),
+            method=get_default_hash_method(self.appbuilder.get_app),
             salt_length=self.appbuilder.get_app.config.get(
                 "FAB_PASSWORD_HASH_SALT_LENGTH", 16
             ),
