# HG changeset patch
# User Mads Kiilerich <mads@kiilerich.com>
# Date 1577664156 -3600
# Node ID 4e0442f914b9f641ca92fe3537869f826eeec2d3
# Parent  8b47181750a82188369cf013fc8b30c321a391dd
auth: accept sha256 passwords on all platforms - not only on Windows

Give less surprises when changing platform.

Still, bcrypt is only supported and used on Posix.

bcrypt "hashes" will have length 60 and start with '$' and will thus
immediately skip the sha256 check.

The change should be safe: Users can't influence what kind of hashed key will
be in the database and can thus not influence the auth method.

(We really should use bcrypt on Windows too ... or change to something more
state of the art.)

diff -r 8b47181750a8 -r 4e0442f914b9 kallithea/lib/auth.py
--- a/kallithea/lib/auth.py	Thu Jan 09 12:28:33 2020 +0100
+++ b/kallithea/lib/auth.py	Mon Dec 30 01:02:36 2019 +0100
@@ -28,6 +28,7 @@
 import itertools
 import logging
 import os
+import string
 
 import ipaddr
 from decorator import decorator
@@ -109,8 +110,9 @@
     :param password: password
     :param hashed: password in hashed form
     """
-
-    if is_windows:
+    # sha256 hashes will always be 64 hex chars
+    # bcrypt hashes will always contain $ (and be shorter)
+    if is_windows or len(hashed) == 64 and all(x in string.hexdigits for x in hashed):
         return hashlib.sha256(password).hexdigest() == hashed
     elif is_unix:
         import bcrypt