From 4093b18e9ba2e2c969943796f2c4f4be344db323 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A9lix=20Pi=C3=A9dallu?= <felix.piedallu@non.se.com>
Date: Tue, 5 Sep 2023 21:14:47 +0200
Subject: [PATCH] Implement a _hash_password helper that only requires standard
 python lib.

---
 conf/hash_generator.py |  5 -----
 scripts/_common.sh     | 17 +++++++++++++++++
 scripts/change_url     |  2 +-
 scripts/install        | 10 +---------
 scripts/upgrade        | 12 ++----------
 5 files changed, 21 insertions(+), 25 deletions(-)
 delete mode 100644 conf/hash_generator.py

diff --git a/conf/hash_generator.py b/conf/hash_generator.py
deleted file mode 100644
index 5b021b7..0000000
--- a/conf/hash_generator.py
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/usr/bin/env python
-import sys
-from werkzeug.security import generate_password_hash
-
-print(generate_password_hash(sys.argv[1]))
diff --git a/scripts/_common.sh b/scripts/_common.sh
index 341ea2e..0147974 100644
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@@ -43,6 +43,23 @@ __ynh_python_venv_get_site_packages_dir() {
     "$venv_dir/bin/python3" -c 'import sysconfig; print(sysconfig.get_paths()["purelib"])'
 }
 
+# shellcheck disable=SC2016
+HASH_PASSWORD_PYTHON='
+import sys, hashlib, uuid
+password = sys.argv[1].encode("utf-8")
+
+salt_text = uuid.uuid4().hex
+salt = salt_text.encode("utf-8")
+pbkdf2_iterations = 600000
+
+hash = hashlib.pbkdf2_hmac("sha256", password, salt, pbkdf2_iterations).hex()
+print(f"pbkdf2:sha256:{pbkdf2_iterations}${salt_text}${hash}")
+'
+
+_hash_password() {
+    password=$1
+    python3 -c "$HASH_PASSWORD_PYTHON" "$password"
+}
 
 #=================================================
 # EXPERIMENTAL HELPERS
diff --git a/scripts/change_url b/scripts/change_url
index c5a8367..8cb79c0 100644
--- a/scripts/change_url
+++ b/scripts/change_url
@@ -32,7 +32,7 @@ ynh_change_url_nginx_config
 #=================================================
 # Setup ihatemoney.cfg
 #=================================================
-#REMOVEME?
+
 path="$new_path"
 domain="$new_domain"
 
diff --git a/scripts/install b/scripts/install
index 500c6b6..ff94957 100755
--- a/scripts/install
+++ b/scripts/install
@@ -41,15 +41,7 @@ ynh_script_progression --message="Adding a configuration file..."
 secret_key=$(ynh_string_random --length=32)
 ynh_app_setting_set --app=$app --key=secret_key --value=$secret_key
 
-#run source in a 'sub shell'
-(
-	set +o nounset
-	source "${install_dir}/venv/bin/activate"
-	set -o nounset
-	python3 ../conf/hash_generator.py $password > ${install_dir}/key.txt
-)
-
-hashed_password=$(cat "$install_dir/key.txt")
+hashed_password=$(_hash_password "$password")
 ynh_secure_remove --file="$install_dir/key.txt"
 ynh_app_setting_set --app=$app --key=hashed_password --value=$hashed_password
 
diff --git a/scripts/upgrade b/scripts/upgrade
index 7fe01a5..1f41265 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -76,17 +76,9 @@ if [ -z "${secret_key:-}" ]; then
 fi
 
 # If hashed_password doesn't exist, create it
-if [ -z "${hashed_password:-}" ] && [ test -f "${install_dir}/venv/bin/activate" ]; then
+if [ -z "${hashed_password:-}" ]; then
 	password=$(ynh_string_random --length=16)
-	#run source in a 'sub shell'
-	(
-		set +o nounset
-		source "${install_dir}/venv/bin/activate"
-		set -o nounset
-		python3 ../conf/hash_generator.py $password > ${install_dir}/key.txt
-	)
-
-	hashed_password=$(cat $install_dir/key.txt)
+	hashed_password=$(_hash_password "$password")
 	ynh_secure_remove --file="$install_dir/key.txt"
  	ynh_app_setting_set --app=$app --key=hashed_password --value=$hashed_password
 fi