From 9512d6cb46bfa44ef4dfdf6f20f97336c7eb2685 Mon Sep 17 00:00:00 2001
From: nocci <dev@sky-net.it>
Date: Sat, 6 Dec 2025 13:25:18 +0000
Subject: [PATCH] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20refactor(auth):=20remove?=
 =?UTF-8?q?=20bcrypt=20password=20length=20limitation?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- switch from bcrypt to bcrypt_sha256 to allow longer passwords
- remove password_too_long function and related checks

📦 build(requirements): update bcrypt package version

- add bcrypt==4.0.1 to requirements.txt for compatibility with bcrypt_sha256
---
 app/auth.py      | 12 ++----------
 app/main.py      | 16 ----------------
 requirements.txt |  1 +
 3 files changed, 3 insertions(+), 26 deletions(-)

diff --git a/app/auth.py b/app/auth.py
index 2d75406..2177fdb 100644
--- a/app/auth.py
+++ b/app/auth.py
@@ -7,8 +7,8 @@ from sqlmodel import Session, select
 from .db import get_session
 from .models import User
 
-BCRYPT_MAX_BYTES = 72
-pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
+# bcrypt_sha256 erlaubt auch längere Passwörter (hashing von SHA-256 vor bcrypt)
+pwd_context = CryptContext(schemes=["bcrypt_sha256"], deprecated="auto")
 
 
 def hash_password(password: str) -> str:
@@ -21,14 +21,6 @@ def verify_password(plain_password: str, hashed_password: str) -> bool:
     return pwd_context.verify(plain_password, hashed_password)
 
 
-def password_too_long(password: str) -> bool:
-    """Return True if password exceeds bcrypt's 72-byte limit."""
-    try:
-        return len(password.encode("utf-8")) > BCRYPT_MAX_BYTES
-    except Exception:
-        return True
-
-
 def get_current_user(
     request: Request,
     session: Session = Depends(get_session),
diff --git a/app/main.py b/app/main.py
index deb8c29..6ecb272 100644
--- a/app/main.py
+++ b/app/main.py
@@ -21,7 +21,6 @@ from .utils import (
 from .auth import (
     hash_password,
     verify_password,
-    password_too_long,
     get_current_user,
     require_current_user,
     require_admin,
@@ -143,8 +142,6 @@ def register(
     error = None
     if password != password_confirm:
         error = "Passwords do not match."
-    elif password_too_long(password):
-        error = "Passwort ist zu lang (max. 72 Bytes). Bitte kürzer wählen."
     else:
         existing = session.exec(
             select(User).where(User.username == username)
@@ -224,19 +221,6 @@ def login(
             status_code=400,
         )
 
-    if password_too_long(password):
-        token = ensure_csrf_token(request)
-        return templates.TemplateResponse(
-            "login.html",
-            {
-                "request": request,
-                "error": "Passwort ist zu lang (max. 72 Bytes).",
-                "current_user": None,
-                "csrf_token": token,
-            },
-            status_code=400,
-        )
-
     user = session.exec(select(User).where(User.username == username)).first()
     error = None
     if not user or not verify_password(password, user.password_hash):
diff --git a/requirements.txt b/requirements.txt
index 3a99b4d..4fa994c 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -6,3 +6,4 @@ python-multipart
 cryptography
 passlib[bcrypt]
 itsdangerous
+bcrypt==4.0.1