Open
Conversation
Signed-off-by: Nicolas Höning <nicolas@seita.nl>
Signed-off-by: Nicolas Höning <nicolas@seita.nl>
Documentation build overview
Show files changed (2 files in total): 📝 2 modified | ➕ 0 added | ➖ 0 deleted
|
Flix6x
approved these changes
Mar 16, 2026
Contributor
Flix6x
left a comment
Flix6x
left a comment
There was a problem hiding this comment.
Okay. Obviously I'll have to take care when backporting this for v0.31.2, which doesn't use uv, but it seems relativity straightforward.
Contributor
Author
|
Ah indeed, I forgot. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
We add bcrypt back to our dependencies (for a while or forever) as old logging in to accounts with older passwords seems to require it.
Flask-Security requires to explicitly install the library used for hashing. The project changed their default hashing algorithm from bcrypt to argon in v5.5.0 (which we use since a long time, I went back to 0.26). We did switch to installing argon explicitly (and not bcrypt anymore). Maybe we did not consider enough that the older passwords were hashed with a different algorithm than newer passwords.
But until now, there was also no issue. This is something we are not able to easily reproduce locally.
Apparently, bcrypt is needed when older passwords that were encrypted with it need to be used/reset. Requesting a new auth token works, but logging in does not (the user did the former regularly, but not the latter). Maybe we had a version live with bcrypt and argon, and that would do a re-hash successfully, and only few users never logged in during that time? Just a theory.
Also, there was a weird error in the logs: "ERROR: Exception in /requestAuthToken endpoint: password cannot be longer than 72 bytes, truncate manually if necessary" This is misleading, as the message is not about the actual password as it appears, see the discussion in pyca/bcrypt#1082. It seem to be a problem with the new bcrypt version 5. It seems version 4.3.0 is safer for now.
One hoster of FlexMeasures saw the problem, and installing bcrypt helped.
Closes https://github.com/SeitaBV/flexmeasures-cloudinfra/issues/283
documentation/changelog.rst