From: Chris Fulljames <christianfulljames@gmail.com>
Date: Sat, 2 May 2026 15:59:19 +0000 (-0400)
Subject: Allow password hashes as bytes or strings in DB
X-Git-Url: https://littlesong.place/gitweb/?a=commitdiff_plain;h=refs%2Fheads%2Fmaster;p=littlesongplace.git

Allow password hashes as bytes or strings in DB
---

diff --git a/src/littlesongplace/auth.py b/src/littlesongplace/auth.py
index 21b15af..02dcbc3 100644
--- a/src/littlesongplace/auth.py
+++ b/src/littlesongplace/auth.py
@@ -13,7 +13,7 @@ bp = Blueprint("auth", __name__)
 def signup_get():
     return render_template("signup.html")
 
-def _check_password(password, password_confirm):
+def _validate_password(password, password_confirm):
     error = False
     if password != password_confirm:
         flash_and_log("Passwords do not match", "error")
@@ -23,6 +23,17 @@ def _check_password(password, password_confirm):
         error = True
     return error
 
+def _check_password(user_data, password):
+    if not user_data:
+        return False
+
+    # Password has must be bytes
+    pwhash = user_data["password"]
+    if isinstance(pwhash, str):
+        pwhash = pwhash.encode()
+
+    return bcrypt.checkpw(password.encode(), pwhash)
+
 def _hash_password(password):
     return bcrypt.hashpw(password.encode(), bcrypt.gensalt())
 
@@ -43,7 +54,7 @@ def signup_post():
         flash_and_log("Username cannot be more than 30 characters", "error")
         error = True
 
-    error = error or _check_password(password, password_confirm)
+    error = error or _validate_password(password, password_confirm)
 
     if db.query("select * from users where username = ?", [username], one=True):
         flash_and_log(f"Username '{username}' is already taken", "error")
@@ -86,7 +97,7 @@ def login_post():
 
     user_data = db.query("select * from users where username = ?", [username], one=True)
 
-    if user_data and bcrypt.checkpw(password.encode(), user_data["password"]):
+    if _check_password(user_data, password):
         # Successful login
         session["username"] = username
         session["userid"] = user_data["userid"]
@@ -122,12 +133,12 @@ def password_reset_post():
         error = True
         
     # Check old password
-    elif not bcrypt.checkpw(old_password.encode(), user_data["password"]):
+    if not _check_password(user_data, old_password):
         flash("Invalid username/password", "error")
         error = True
 
     # Check new password
-    error = error or _check_password(password, password_confirm)
+    error = error or _validate_password(password, password_confirm)
 
     # Reload page on error
     if error: