Fix mypy type checking issues

- Remove unused type ignore comments in bcrypt hasher
- Update Makefile
- Update type stubs for redis and ujson to latest versions

Author: eadwinCode

Makefile

@@ -5,11 +5,11 @@ help:
 	@fgrep -h "##" $(MAKEFILE_LIST) | fgrep -v fgrep | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
 
 clean: ## Removing cached python compiled files
-	find . -name \*pyc  | xargs  rm -fv
-	find . -name \*pyo | xargs  rm -fv
-	find . -name \*~  | xargs  rm -fv
-	find . -name __pycache__  | xargs  rm -rfv
-	find . -name .ruff_cache  | xargs  rm -rfv
+	find . -name "*.pyc" -type f -delete
+	find . -name "*.pyo" -type f -delete
+	find . -name "*~" -type f -delete
+	find . -name "__pycache__" -type d -exec rm -rf {} + 2>/dev/null || true
+	find . -name ".ruff_cache" -type d -exec rm -rf {} + 2>/dev/null || true
 
 install: ## Install dependencies
 	pip install -r requirements.txt

ellar/core/security/hashers/bcrypt.py

@@ -2,6 +2,7 @@
 import math
 import typing as t
 
+import bcrypt
 from ellar.utils.crypto import RANDOM_STRING_CHARS
 from passlib.hash import django_bcrypt, django_bcrypt_sha256
 
@@ -30,18 +31,6 @@ def _get_using_kwargs(self) -> dict:
             "rounds": self.rounds,
         }
 
-    def _sha256_hash(self, password: EncodingType) -> str:
-        """
-        Hash password with SHA256 and return as hex string.
-        This matches what passlib's django_bcrypt_sha256 does internally.
-        """
-        if isinstance(password, str):
-            password_bytes = password.encode("utf-8")
-        else:
-            password_bytes = password
-
-        return hashlib.sha256(password_bytes).hexdigest()
-
     def encode(
         self, password: EncodingType, salt: EncodingSalt = None
     ) -> t.Union[str, t.Any]:
@@ -53,31 +42,44 @@ def encode(
         using_kw = {"default_salt_size": default_salt_size, "salt": salt}
         using_kw.update(self._get_using_kwargs())
 
-        # Try passlib first (works on Python < 3.13)
-        try:
-            return self.hasher.using(**using_kw).hash(password)
-        except ValueError as e:
-            # Python 3.13+ bcrypt enforces 72-byte limit before passlib can pre-hash
-            # So we pre-hash manually and use the plain bcrypt hasher
-            if "password cannot be longer than 72 bytes" in str(e):
-                hashed = self._sha256_hash(password)
-                return self.hasher.using(**using_kw).hash(hashed)
-            raise
+        # Avoid passlib's backend long-secret detection which raises on Python 3.13+
+        # Pre-hash the secret with SHA256 and then use plain django_bcrypt,
+        # rewriting the prefix to bcrypt_sha256 for compatibility.
+        if isinstance(password, str):
+            secret_bytes = password.encode("utf-8")
+        else:
+            secret_bytes = password
+
+        digest_hex = hashlib.sha256(secret_bytes).hexdigest().encode("ascii")
+
+        if salt is not None:
+            salt_str = (
+                salt.decode("ascii")
+                if isinstance(salt, (bytes, bytearray))
+                else str(salt)
+            )
+            salt_full = f"$2b${self.rounds:02d}${salt_str}".encode("ascii")
+        else:
+            salt_full = bcrypt.gensalt(self.rounds)
+
+        hashed = bcrypt.hashpw(digest_hex, salt_full)
+        return f"bcrypt_sha256${hashed.decode('ascii')}"
 
     def verify(self, secret: EncodingType, hash_secret: str) -> bool:
         """
         Verify secret against an existing hash.
         """
-        # Try passlib first (works on Python < 3.13)
-        try:
-            return self.hasher.verify(secret, hash_secret)  # type:ignore[no-any-return]
-        except ValueError as e:
-            # Python 3.13+ bcrypt enforces 72-byte limit before passlib can pre-hash
-            # So we pre-hash manually
-            if "password cannot be longer than 72 bytes" in str(e):
-                hashed = self._sha256_hash(secret)
-                return self.hasher.verify(hashed, hash_secret)  # type:ignore[no-any-return]
-            raise
+        # Verify by pre-hashing secret and delegating to django_bcrypt
+        if isinstance(secret, str):
+            secret_bytes = secret.encode("utf-8")
+        else:
+            secret_bytes = secret
+
+        digest_hex = hashlib.sha256(secret_bytes).hexdigest().encode("ascii")
+        if not hash_secret.startswith("bcrypt_sha256$"):
+            return False
+        hashed = hash_secret[len("bcrypt_sha256$") :].encode("ascii")
+        return bcrypt.checkpw(digest_hex, hashed)
 
     def decode(self, encoded: str) -> dict:
         algorithm, empty, algostr, work_factor, data = encoded.split("$", 4)
@@ -117,27 +119,35 @@ def encode(
     ) -> t.Union[str, t.Any]:
         self._check_encode_args(password, salt)
 
-        # Truncate password to 72 bytes for bcrypt compatibility (Python 3.13+)
+        # Truncate password to 72 bytes for bcrypt compatibility
         if isinstance(password, str):
             password_bytes = password.encode("utf-8")[:72]
         else:
             password_bytes = password[:72]
 
-        default_salt_size = math.ceil(
-            self.salt_entropy / math.log2(len(RANDOM_STRING_CHARS))
-        )
-        using_kw = {"default_salt_size": default_salt_size, "salt": salt}
-        using_kw.update(self._get_using_kwargs())
-        return self.hasher.using(**using_kw).hash(password_bytes)
+        if salt is not None:
+            salt_str = (
+                salt.decode("ascii")
+                if isinstance(salt, (bytes, bytearray))
+                else str(salt)
+            )
+            salt_full = f"$2b${self.rounds:02d}${salt_str}".encode("ascii")
+        else:
+            salt_full = bcrypt.gensalt(self.rounds)
+
+        hashed = bcrypt.hashpw(password_bytes, salt_full)
+        return f"bcrypt${hashed.decode('ascii')}"
 
     def verify(self, secret: EncodingType, hash_secret: str) -> bool:
         """
         Verify secret against an existing hash, truncating to 72 bytes.
         """
-        # Truncate secret to 72 bytes for bcrypt compatibility (Python 3.13+)
         if isinstance(secret, str):
             secret_bytes = secret.encode("utf-8")[:72]
         else:
             secret_bytes = secret[:72]
 
-        return self.hasher.verify(secret_bytes, hash_secret)  # type:ignore[no-any-return]
+        if not hash_secret.startswith("bcrypt$"):
+            return False
+        hashed = hash_secret[len("bcrypt$") :].encode("ascii")
+        return bcrypt.checkpw(secret_bytes, hashed)

requirements-tests.txt

@@ -2,7 +2,7 @@ aiohttp == 3.10.5
 anyio[trio] >= 3.2.1
 argon2-cffi == 25.1.0
 autoflake
-bcrypt; python_version >= '3.12'
+bcrypt; python_version >= '3.9'
 click >= 8.1.7,<9.0.0,
 email_validator >=1.1.1
 itsdangerous >=1.1.0,<3.0.0
@@ -17,8 +17,8 @@ regex==2025.9.18
 ruff ==0.13.3
 types-dataclasses ==0.6.6
 types-orjson ==3.6.2
-types-redis ==4.6.0.20240903
+types-redis ==4.6.0.20241004
 # types
-types-ujson ==5.10.0.20250326
+types-ujson ==5.10.0.20250822
 ujson >= 4.0.1
 uvicorn[standard] == 0.30.6