From 95e2bb9a39d61f142ae05085621c88765cde1fc9 Mon Sep 17 00:00:00 2001
From: gilesb <giles.bradshaw@sigyl.com>
Date: Wed, 7 Jan 2026 16:00:22 +0000
Subject: [PATCH] fix: use bcrypt directly instead of passlib

---
 auth.py          | 18 ++++++------------
 requirements.txt |  2 +-
 2 files changed, 7 insertions(+), 13 deletions(-)

diff --git a/auth.py b/auth.py
index 4670595..592bbb8 100644
--- a/auth.py
+++ b/auth.py
@@ -11,14 +11,10 @@ from datetime import datetime, timezone, timedelta
 from pathlib import Path
 from typing import Optional
 
-from passlib.context import CryptContext
+import bcrypt
 from jose import JWTError, jwt
 from pydantic import BaseModel
 
-
-# Password hashing (truncate_error=False allows bcrypt to silently truncate)
-pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto", bcrypt__truncate_error=False)
-
 # JWT settings
 ALGORITHM = "HS256"
 ACCESS_TOKEN_EXPIRE_DAYS = 30
@@ -93,19 +89,17 @@ def save_users(data_dir: Path, users: dict[str, dict]):
         json.dump(users, f, indent=2)
 
 
-def truncate_password(password: str) -> str:
-    """Truncate password to 72 bytes for bcrypt."""
-    return password.encode('utf-8')[:72].decode('utf-8', errors='ignore')
-
-
 def hash_password(password: str) -> str:
     """Hash a password (truncate to 72 bytes for bcrypt)."""
-    return pwd_context.hash(truncate_password(password))
+    # Truncate to 72 bytes (bcrypt limit)
+    pw_bytes = password.encode('utf-8')[:72]
+    return bcrypt.hashpw(pw_bytes, bcrypt.gensalt()).decode('utf-8')
 
 
 def verify_password(plain_password: str, hashed_password: str) -> bool:
     """Verify a password against its hash."""
-    return pwd_context.verify(truncate_password(plain_password), hashed_password)
+    pw_bytes = plain_password.encode('utf-8')[:72]
+    return bcrypt.checkpw(pw_bytes, hashed_password.encode('utf-8'))
 
 
 def create_user(data_dir: Path, username: str, password: str, email: Optional[str] = None) -> User:
diff --git a/requirements.txt b/requirements.txt
index 354f428..4cfd4d9 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -2,7 +2,7 @@ fastapi>=0.109.0
 uvicorn>=0.27.0
 requests>=2.31.0
 cryptography>=42.0.0
-passlib[bcrypt]>=1.7.4
+bcrypt>=4.0.0
 python-jose[cryptography]>=3.3.0
 markdown>=3.5.0
 python-multipart>=0.0.6