weefnn/full-stack-fastapi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use pwdlib with Argon2 by default, adding logic (and tests) to autoupdate old passwords using Bcrypt (#2104)

Browse Source 
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
This commit is contained in:
Sebastián Ramírez
2026-01-22 07:24:19 -08:00
committed by GitHub
parent a0fe8a236f
commit 730c6e9ebb
8 changed files with 304 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
backend/tests/crud/test_user.py
View File

@@ -1,4 +1,5 @@
from fastapi.encoders import jsonable_encoder
from pwdlib.hashers.bcrypt import BcryptHasher
from sqlmodel import Session
from app import crud
@@ -88,4 +89,42 @@ def test_update_user(db: Session) -> None:
user_2 = db.get(User, user.id)
assert user_2
assert user.email == user_2.email
assert verify_password(new_password, user_2.hashed_password)
verified, _ = verify_password(new_password, user_2.hashed_password)
assert verified
def test_authenticate_user_with_bcrypt_upgrades_to_argon2(db: Session) -> None:
"""Test that a user with bcrypt password hash gets upgraded to argon2 on login."""
email = random_email()
password = random_lower_string()
# Create a bcrypt hash directly (simulating legacy password)
bcrypt_hasher = BcryptHasher()
bcrypt_hash = bcrypt_hasher.hash(password)
assert bcrypt_hash.startswith("$2") # bcrypt hashes start with $2
# Create user with bcrypt hash directly in the database
user = User(email=email, hashed_password=bcrypt_hash)
db.add(user)
db.commit()
db.refresh(user)
# Verify the hash is bcrypt before authentication
assert user.hashed_password.startswith("$2")
# Authenticate - this should upgrade the hash to argon2
authenticated_user = crud.authenticate(session=db, email=email, password=password)
assert authenticated_user
assert authenticated_user.email == email
db.refresh(authenticated_user)
# Verify the hash was upgraded to argon2
assert authenticated_user.hashed_password.startswith("$argon2")
verified, updated_hash = verify_password(
password, authenticated_user.hashed_password
)
assert verified
# Should not need another update since it's already argon2
assert updated_hash is None