Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Passlib dependency #1032

Open
david-froot opened this issue Oct 10, 2024 · 2 comments
Open

Passlib dependency #1032

david-froot opened this issue Oct 10, 2024 · 2 comments
Assignees

Comments

@david-froot
Copy link

This package depends on passlib which is out of date (last updated in Oct 2020) and depends on crypt which is removed in Python 3.13. Suggest replacing with bcrypt.

@jwag956
Copy link
Collaborator

jwag956 commented Oct 18, 2024

This fork: https://pypi.org/project/libpass/ looks promising. I am going to let that settle a bit before converting over.

@jwag956 jwag956 self-assigned this Nov 13, 2024
@jwag956 jwag956 added this to the 5.6 milestone Nov 13, 2024
@jwag956
Copy link
Collaborator

jwag956 commented Dec 30, 2024

I am looking into this.

First - libpass seems to work just fine and I am hoping it will get the effort needed to get it all cleaned up.

passlib still works for 3.13 - while it does attempt to import crypt - it has fallbacks if that import fails. Now - the fallback for safe_crypt() when there isn't 'crypt' is to return a Null hash - which seems bad - but the few places that call this all have higher level fallbacks. More importantly - it seems to be only called in:

  • des_crypt
  • md5_crypt
  • sha1_crypt
  • sha2_crypt
  • brcypt - but ONLY in the case no external bcrypt library is installed

So I think that for most if not all Flask-Security applications - this shouldn't be an issue.

I don't want to set libpass as a dependency yet since it is new fork - lets see how it gets maintained.

@jwag956 jwag956 removed this from the 5.6 milestone Dec 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

2 participants