49 lines
1008 B
Python
49 lines
1008 B
Python
"""
|
|
Auth helpers: password hashing + cookie token hashing.
|
|
|
|
We intentionally avoid heavy dependencies. Password hashing uses PBKDF2-HMAC-SHA256.
|
|
Session tokens are random and stored server-side as SHA256(token) hashes.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
import hashlib
|
|
import secrets
|
|
from typing import Optional, Tuple
|
|
|
|
|
|
PBKDF2_ITERS = 200_000
|
|
|
|
|
|
def hash_password(password: str, salt_hex: Optional[str] = None) -> Tuple[str, str]:
|
|
salt = bytes.fromhex(salt_hex) if salt_hex else secrets.token_bytes(16)
|
|
dk = hashlib.pbkdf2_hmac("sha256", (password or "").encode("utf-8"), salt, PBKDF2_ITERS)
|
|
return dk.hex(), salt.hex()
|
|
|
|
|
|
def verify_password(password: str, password_hash: str, salt_hex: str) -> bool:
|
|
cand, _ = hash_password(password, salt_hex=salt_hex)
|
|
return cand == (password_hash or "")
|
|
|
|
|
|
def new_session_token() -> str:
|
|
return secrets.token_urlsafe(32)
|
|
|
|
|
|
def hash_token(token: str) -> str:
|
|
return hashlib.sha256((token or "").encode("utf-8")).hexdigest()
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|