chore: lint cleanup 1175→0 + auth.py fix + drop passlib #3
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "chore/lint-debt-cleanup"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Promotes chore/lint-debt-cleanup (3 commits) to main.
The reported symptom (AttributeError: module 'bcrypt' has no attribute '__about__') was misleading. passlib 1.7.4 (the latest released version — the project is unmaintained) actually traps that AttributeError with a bare `except:` and continues. The real failure occurs later in `passlib.handlers.bcrypt._finalize_backend_mixin`: detect_wrap_bug -> verify(secret, bug_hash) where secret = (b"0123456789"*26)[:255] # 255-byte test secret bcrypt 4.0+ removed silent 72-byte truncation and now raises `ValueError: password cannot be longer than 72 bytes`, breaking the backend probe and crashing every `pwd_context.hash()/verify()` call. Three options were considered: A. Upgrade passlib — impossible, 1.7.4 is the latest PyPI release. B. Pin bcrypt<4.0 — conflicts with chromadb 1.1.1 (>=4.0.1 required), even though chromadb's bcrypt usage is optional and still works at runtime in practice. C. Shim bcrypt.__about__ — doesn't fix the actual truncation error. Chosen: refactor app/auth.py to use bcrypt directly for backup-code hashing too (the main `hash_password`/`verify_password` already did). Drops the passlib dependency entirely, restoring bcrypt 5.x for chromadb compatibility and eliminating the unmaintained passlib pin. Verified: * hash_password / verify_password round-trip OK * _hash_backup_code / _verify_backup_code round-trip OK on freshly generated 8-digit backup codes * `pytest tests/unit` -> 717 passed, 32 warnings, 60 subtests passed