Patched sqli/dao/user.py

Author: patched.codes[bot]

sqli/dao/user.py

@@ -1,9 +1,7 @@
-from hashlib import md5
+from hashlib import scrypt as scrypt_hash
 from typing import NamedTuple, Optional
-
 from aiopg import Connection
 
-
 class User(NamedTuple):
     id: int
     first_name: str
@@ -38,4 +36,6 @@ async def get_by_username(conn: Connection, username: str):
             return User.from_raw(await cur.fetchone())
 
     def check_password(self, password: str):
-        return self.pwd_hash == md5(password.encode('utf-8')).hexdigest()
+        salt = self.pwd_hash.split('$')[1]
+        return scrypt_hash(password.encode('utf-8'), salt.encode('utf-8'), 16384, 8, 1, 32).hex() == self.pwd_hash
+