Increase password strength in TG2 quickstart

Author: amol-

devtools/gearbox/quickstart/command.py

@@ -4,6 +4,7 @@
 import os
 import shutil
 import glob
+import uuid
 import importlib.metadata
 import importlib.util
 
@@ -160,17 +161,8 @@ def take_action(self, opts):
                 % opts.name)
             return
 
-        opts.cookiesecret = None
-        try:
-            import uuid
-            opts.cookiesecret = str(uuid.uuid4())
-        except ImportError:
-            import random
-            import base64
-            import struct
-            opts.cookiesecret = base64.b64encode(''.join(
-                [struct.pack('i', random.randrange(2 ** 31))
-                    for _n in range(6)])).strip()
+        opts.cookiesecret = str(uuid.uuid4())
+        opts.passwordsalt = str(uuid.uuid4())
 
         quickstart_path = os.path.os.path.abspath(os.path.dirname(__file__))
 

devtools/gearbox/quickstart/template/+package+/model/auth.py_tmpl

@@ -12,7 +12,7 @@ though.
 {{if auth}}
 import os
 from datetime import datetime
-from hashlib import sha256
+from hashlib import pbkdf2_hmac, sha256
 {{endif}}
 
 {{if auth == "sqlalchemy"}}
@@ -125,16 +125,13 @@ class User(DeclarativeBase):
 
     @classmethod
     def _hash_password(cls, password):
-        salt = sha256()
-        salt.update(os.urandom(60))
-        salt = salt.hexdigest()
+        password = pbkdf2_hmac(
+            'sha256',
+            password.encode('utf-8'),
+            b"{{passwordsalt}}",
+            iterations=100_000
+        ).hex()
 
-        hash = sha256()
-        # Make sure password is a str because we cannot hash unicode objects
-        hash.update((password + salt).encode('utf-8'))
-        hash = hash.hexdigest()
-
-        password = salt + hash
         return password
 
     def _set_password(self, password):
@@ -160,9 +157,14 @@ class User(DeclarativeBase):
         :rtype: bool
 
         """
-        hash = sha256()
-        hash.update((password + self.password[:64]).encode('utf-8'))
-        return self.password[64:] == hash.hexdigest()
+        password = pbkdf2_hmac(
+            'sha256',
+            password.encode('utf-8'),
+            b"{{passwordsalt}}",
+            iterations=100_000
+        ).hex()
+
+        return self.password == password
 
 
 class Permission(DeclarativeBase):
@@ -247,16 +249,13 @@ class User(MappedClass):
     class PasswordProperty(FieldProperty):
         @classmethod
         def _hash_password(cls, password):
-            salt = sha256()
-            salt.update(os.urandom(60))
-            salt = salt.hexdigest()
-
-            hash = sha256()
-            # Make sure password is a str because we cannot hash unicode objects
-            hash.update((password + salt).encode('utf-8'))
-            hash = hash.hexdigest()
+            password = pbkdf2_hmac(
+                'sha256',
+                password.encode('utf-8'),
+                b"{{passwordsalt}}",
+                iterations=100_000
+            ).hex()
 
-            password = salt + hash
             return password
 
         def __set__(self, instance, value):
@@ -295,8 +294,12 @@ class User(MappedClass):
         :rtype: bool
 
         """
-        hash = sha256()
-        hash.update((password + self.password[:64]).encode('utf-8'))
-        return self.password[64:] == hash.hexdigest()
+        password = pbkdf2_hmac(
+            'sha256',
+            password.encode('utf-8'),
+            b"{{passwordsalt}}",
+            iterations=100_000
+        ).hex()
+        return self.password == password
 
 {{endif}}