✨ Use pwdlib with Argon2 by default, adding logic (and tests) to autoupdate old passwords using Bcrypt (#2104)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

backend/tests/api/routes/test_login.py

@@ -1,12 +1,13 @@
 from unittest.mock import patch
 
 from fastapi.testclient import TestClient
+from pwdlib.hashers.bcrypt import BcryptHasher
 from sqlmodel import Session
 
 from app.core.config import settings
-from app.core.security import verify_password
+from app.core.security import get_password_hash, verify_password
 from app.crud import create_user
-from app.models import UserCreate
+from app.models import User, UserCreate
 from app.utils import generate_password_reset_token
 from tests.utils.user import user_authentication_headers
 from tests.utils.utils import random_email, random_lower_string
@@ -99,7 +100,8 @@ def test_reset_password(client: TestClient, db: Session) -> None:
     assert r.json() == {"message": "Password updated successfully"}
 
     db.refresh(user)
-    assert verify_password(new_password, user.hashed_password)
+    verified, _ = verify_password(new_password, user.hashed_password)
+    assert verified
 
 
 def test_reset_password_invalid_token(
@@ -116,3 +118,68 @@ def test_reset_password_invalid_token(
     assert "detail" in response
     assert r.status_code == 400
     assert response["detail"] == "Invalid token"
+
+
+def test_login_with_bcrypt_password_upgrades_to_argon2(
+    client: TestClient, db: Session
+) -> None:
+    """Test that logging in with a bcrypt password hash upgrades it to argon2."""
+    email = random_email()
+    password = random_lower_string()
+
+    # Create a bcrypt hash directly (simulating legacy password)
+    bcrypt_hasher = BcryptHasher()
+    bcrypt_hash = bcrypt_hasher.hash(password)
+    assert bcrypt_hash.startswith("$2")  # bcrypt hashes start with $2
+
+    user = User(email=email, hashed_password=bcrypt_hash, is_active=True)
+    db.add(user)
+    db.commit()
+    db.refresh(user)
+
+    assert user.hashed_password.startswith("$2")
+
+    login_data = {"username": email, "password": password}
+    r = client.post(f"{settings.API_V1_STR}/login/access-token", data=login_data)
+    assert r.status_code == 200
+    tokens = r.json()
+    assert "access_token" in tokens
+
+    db.refresh(user)
+
+    # Verify the hash was upgraded to argon2
+    assert user.hashed_password.startswith("$argon2")
+
+    verified, updated_hash = verify_password(password, user.hashed_password)
+    assert verified
+    # Should not need another update since it's already argon2
+    assert updated_hash is None
+
+
+def test_login_with_argon2_password_keeps_hash(client: TestClient, db: Session) -> None:
+    """Test that logging in with an argon2 password hash does not update it."""
+    email = random_email()
+    password = random_lower_string()
+
+    # Create an argon2 hash (current default)
+    argon2_hash = get_password_hash(password)
+    assert argon2_hash.startswith("$argon2")
+
+    # Create user with argon2 hash
+    user = User(email=email, hashed_password=argon2_hash, is_active=True)
+    db.add(user)
+    db.commit()
+    db.refresh(user)
+
+    original_hash = user.hashed_password
+
+    login_data = {"username": email, "password": password}
+    r = client.post(f"{settings.API_V1_STR}/login/access-token", data=login_data)
+    assert r.status_code == 200
+    tokens = r.json()
+    assert "access_token" in tokens
+
+    db.refresh(user)
+
+    assert user.hashed_password == original_hash
+    assert user.hashed_password.startswith("$argon2")