our LDAP plugin's password handling uses crypt
which is deprecated since 3.11 and removed in 3.13 https://docs.python.org/3/library/crypt.html
crypt only supports a few algorithms anyway, it'd be good to support argon2, scrypt, bcrypt, pbkdf2_sha512
local password storage does sha256 and definitely should be updated. Similar/same config options for local & ldap hashing?
https://passlib.readthedocs.io/en/stable/ seems pretty good and supports a lot of algorithms, but it isn't maintained the best :(
If an admin configures a new password hashing algorithm, we should make it be a seamless transition, including when someone logs in to re-hash the password, when needed.
allura:db/8566
QA: After switching to this branch, you should be able to log in as a user, and then see that the password automatically got re-hashed with the new preferred algorithm.
There are breaking AuthenticationProvider plugin changes, for any custom Auth implementations:
set_password
takes aset_timestamp=True
which should be checked before setting user.last_password_updateddef validate_password
todef _validate_password
since the base class implements a high-levelvalidate_password
nowpassword_algorithm
field_login
) it now should callself.rehash_password_if_needed
toomerged