Skip to content

♻️ Use bcrypt directly instead of passlib #1539

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
karta9821 wants to merge 2 commits into
base: master
Choose a base branch
from
Open

♻️ Use bcrypt directly instead of passlib #1539

karta9821 wants to merge 2 commits into from
+8 −26

Conversation

@karta9821
Copy link

@karta9821 karta9821 commented Apr 7, 2025
edited by YuriiMotov
Loading

The passlib library, previously used for password hashing in this project, is no longer actively maintained — its last update was over 4 years ago. This has been confirmed here: link to the issue.

To improve long-term security and maintainability, this PR replaces passlib with direct usage of the bcrypt library, which is actively maintained and widely used for secure password hashing.

Discussion: #1369

@karta9821 karta9821 force-pushed the feature/replace-passlib-with-bcrypt branch 2 times, most recently from 4f520da to fb5e042 Compare April 7, 2025 20:00
@alejsdev alejsdev added the feature New feature or request label Apr 14, 2025
@alejsdev alejsdev changed the title feat: Use bcrypt directly instead of passlib ✨ Use bcrypt directly instead of passlib Apr 14, 2025
@karta9821 karta9821 force-pushed the feature/replace-passlib-with-bcrypt branch from fb5e042 to 80c7687 Compare April 27, 2025 14:08
@YuriiMotov YuriiMotov added refactor and removed feature New feature or request labels Sep 3, 2025
@YuriiMotov YuriiMotov changed the title ✨ Use bcrypt directly instead of passlib ♻️ Use bcrypt directly instead of passlib Sep 3, 2025
YuriiMotov
YuriiMotov approved these changes Sep 3, 2025
View reviewed changes
Copy link
Member

@YuriiMotov YuriiMotov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@karta9821, thank you!

Seems that passlib is dead, and sooner or later we have to take this step.

Changes are not breaking - previously created users can login.

ToDo:

  • We can also remove types-passlib dev dependency.
  • Before merging, I would regenerate and commit uv.lock

@github-actions github-actions bot added the conflicts Automatically generated when a PR has a merge conflict label Sep 7, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Sep 7, 2025

This pull request has a merge conflict that needs to be resolved.

@YuriiMotov
Copy link
Member

YuriiMotov commented Oct 10, 2025

passlib was recently replaced with pwdlib with Argon2 in FastAPI repository: fastapi/fastapi#13917

So, we should probably be consistent here and also use pwdlib in this repo

@4sushi 4sushi mentioned this pull request Oct 20, 2025
Open
@fudanglp
Copy link

fudanglp commented Dec 22, 2025

@YuriiMotov
I prefer this approach over #1941.

Compared to replacing passlib with pwdlib:

  • Fewer dependencies: No need for pwdlib, argon2-cffi, cffi, pycparser
  • Simpler code: Direct bcrypt calls vs another password hashing abstraction
  • No unnecessary features: Argon2 support isn't needed if the existing hashes are bcrypt

The bcrypt library is already a transitive dependency through passlib, so this is essentially just removing the passlib wrapper.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@YuriiMotov YuriiMotov YuriiMotov approved these changes

Assignees

No one assigned

Labels

conflicts Automatically generated when a PR has a merge conflict refactor

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@karta9821 @YuriiMotov @fudanglp @alejsdev