Huge improvements

* Unblock hashing (tested in Postman)
* Reconsider DI scopes
* Remove redundant code

Author: ivan-borovets

config/local/.secrets.toml

@@ -10,19 +10,22 @@ PASSWORD = "changethis"
 # Recommended: Use a cryptographically secure random generator to create a
 # string of at least 32 characters including numbers, letters, and symbols
 PEPPER = "REPLACE_THIS_WITH_YOUR_OWN_SECRET_PEPPER_VALUE"
+# https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#introduction
+HASHER_WORK_FACTOR = 11
+# CPU-bound & GIL released: per-worker ≈ max(1, floor(effective vCPUs / workers))
+HASHER_MAX_THREADS = 8
 
 [security.auth]
 # Recommended: Use a cryptographically secure random generator to create a
 # string of at least 32 characters including numbers, letters, and symbols
 JWT_SECRET = "REPLACE_THIS_WITH_YOUR_OWN_SECRET_VALUE"
-# JWT_ALGORITHM can be set to "HS256", "HS384", "HS512", "RS256", "RS384", "RS512"
+# Can be set to "HS256", "HS384", "HS512", "RS256", "RS384", "RS512"
 JWT_ALGORITHM = "HS256"
-# SESSION_TTL_MIN must be at least 1 (number of minutes)
+# Must be at least 1 (number of minutes)
 SESSION_TTL_MIN = 5
-# SESSION_REFRESH_THRESHOLD must be a number (fraction, 0 < fraction < 1)
+# Must be a number (fraction, 0 < fraction < 1)
 SESSION_REFRESH_THRESHOLD = 0.2
 
 [security.cookies]
-# Secure can be set to 0 or 1
-# Choose 1 for production (secure=True, samesite="Strict")
+# Can be set to 0 or 1, choose 1 for production (secure=True, samesite="Strict")
 SECURE = 0

config/local/config.toml

@@ -19,5 +19,5 @@ MAX_OVERFLOW = 10
 
 # Logs
 [logs]
-# Level can be set to "DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL"
+# Can be set to "DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL"
 LEVEL = "DEBUG"

src/app/application/commands/create_user.py

@@ -80,7 +80,9 @@ async def execute(self, request_data: CreateUserRequest) -> CreateUserResponse:
 
         username = Username(request_data.username)
         password = RawPassword(request_data.password)
-        user = self._user_service.create_user(username, password, request_data.role)
+        user = await self._user_service.create_user(
+            username, password, request_data.role
+        )
 
         self._user_command_gateway.add(user)
 

src/app/application/commands/set_user_password.py

@@ -92,7 +92,7 @@ async def execute(self, request_data: SetUserPasswordRequest) -> None:
             ),
         )
 
-        self._user_service.change_password(user, password)
+        await self._user_service.change_password(user, password)
         await self._transaction_manager.commit()
 
         log.info("Set user password: done. Target user ID: '%s'.", user.id_.value)

src/app/domain/ports/password_hasher.py

@@ -6,7 +6,11 @@
 
 class PasswordHasher(Protocol):
     @abstractmethod
-    def hash(self, raw_password: RawPassword) -> bytes: ...
+    async def hash(self, raw_password: RawPassword) -> bytes: ...
 
     @abstractmethod
-    def verify(self, *, raw_password: RawPassword, hashed_password: bytes) -> bool: ...
+    async def verify(
+        self,
+        raw_password: RawPassword,
+        hashed_password: bytes,
+    ) -> bool: ...

src/app/domain/services/user.py

@@ -22,7 +22,7 @@ def __init__(
         self._user_id_generator = user_id_generator
         self._password_hasher = password_hasher
 
-    def create_user(
+    async def create_user(
         self,
         username: Username,
         raw_password: RawPassword,
@@ -37,7 +37,8 @@ def create_user(
             raise RoleAssignmentNotPermittedError(role)
 
         user_id = UserId(self._user_id_generator.generate())
-        password_hash = UserPasswordHash(self._password_hasher.hash(raw_password))
+        password_hash_value = await self._password_hasher.hash(raw_password)
+        password_hash = UserPasswordHash(password_hash_value)
         return User(
             id_=user_id,
             username=username,
@@ -46,14 +47,15 @@ def create_user(
             is_active=is_active,
         )
 
-    def is_password_valid(self, user: User, raw_password: RawPassword) -> bool:
-        return self._password_hasher.verify(
+    async def is_password_valid(self, user: User, raw_password: RawPassword) -> bool:
+        return await self._password_hasher.verify(
             raw_password=raw_password,
             hashed_password=user.password_hash.value,
         )
 
-    def change_password(self, user: User, raw_password: RawPassword) -> None:
-        hashed_password = UserPasswordHash(self._password_hasher.hash(raw_password))
+    async def change_password(self, user: User, raw_password: RawPassword) -> None:
+        password_hash_value = await self._password_hasher.hash(raw_password)
+        hashed_password = UserPasswordHash(password_hash_value)
         user.password_hash = hashed_password
 
     def toggle_user_activation(self, user: User, *, is_active: bool) -> bool:

src/app/infrastructure/adapters/password_hasher_bcrypt.py

@@ -1,44 +1,64 @@
+import asyncio
 import base64
 import hashlib
 import hmac
-from typing import NewType
+import logging
 
 import bcrypt
 
 from app.domain.ports.password_hasher import PasswordHasher
 from app.domain.value_objects.raw_password import RawPassword
+from app.infrastructure.adapters.types import HasherThreadPoolExecutor
 
-PasswordPepper = NewType("PasswordPepper", str)
+log = logging.getLogger(__name__)
 
 
 class BcryptPasswordHasher(PasswordHasher):
-    def __init__(self, pepper: PasswordPepper):
+    def __init__(
+        self,
+        pepper: str,
+        work_factor: int,
+        executor: HasherThreadPoolExecutor,
+    ):
         self._pepper = pepper
+        self._work_factor = work_factor
+        self._executor = executor
 
-    def hash(self, raw_password: RawPassword) -> bytes:
+    async def hash(self, raw_password: RawPassword) -> bytes:
+        loop = asyncio.get_running_loop()
+        return await loop.run_in_executor(self._executor, self.hash_sync, raw_password)
+
+    async def verify(self, raw_password: RawPassword, hashed_password: bytes) -> bool:
+        loop = asyncio.get_running_loop()
+        return await loop.run_in_executor(
+            self._executor,
+            self.verify_sync,
+            raw_password,
+            hashed_password,
+        )
+
+    def hash_sync(self, raw_password: RawPassword) -> bytes:
         """
-        Bcrypt is limited to 72-character passwords. Adding a pepper may surpass this character count.
-        To keep the input within the 72-character limit, pre-hashing can be employed.
-        One option is using HMAC-SHA256, which produces a fixed-length digest of the peppered password.
-        However, pre-hashing may introduce null bytes, which `bcrypt` cannot process correctly.
-        This issue can be resolved by applying `base64` encoding to the digest.
-        The resulting `base64(hmac-sha256(password, pepper))` string is then ready for bcrypt hashing.
-        Salt is added to this string before passing it to `bcrypt` for the final hashing step.
-        Inspired by: https://blog.ircmaxell.com/2015/03/security-issue-combining-bcrypt-with.html
+        Pre-hashing:
+        https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pre-hashing-passwords-with-bcrypt
+        Work factor:
+        https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#introduction
         """
-        base64_hmac_password: bytes = self._add_pepper(raw_password, self._pepper)
-        salt: bytes = bcrypt.gensalt()
-        return bcrypt.hashpw(base64_hmac_password, salt)
+        log.debug("hash")
+        base64_hmac_peppered: bytes = self._add_pepper(raw_password, self._pepper)
+        salt: bytes = bcrypt.gensalt(rounds=self._work_factor)
+        return bcrypt.hashpw(base64_hmac_peppered, salt)
+
+    def verify_sync(self, raw_password: RawPassword, hashed_password: bytes) -> bool:
+        log.debug("verify")
+        base64_hmac_peppered: bytes = self._add_pepper(raw_password, self._pepper)
+        return bcrypt.checkpw(base64_hmac_peppered, hashed_password)
 
     @staticmethod
-    def _add_pepper(raw_password: RawPassword, pepper: PasswordPepper) -> bytes:
+    def _add_pepper(raw_password: RawPassword, pepper: str) -> bytes:
         hmac_password: bytes = hmac.new(
             key=pepper.encode(),
             msg=raw_password.value.encode(),
-            digestmod=hashlib.sha256,
+            digestmod=hashlib.sha384,
         ).digest()
         return base64.b64encode(hmac_password)
-
-    def verify(self, *, raw_password: RawPassword, hashed_password: bytes) -> bool:
-        base64_hmac_password: bytes = self._add_pepper(raw_password, self._pepper)
-        return bcrypt.checkpw(base64_hmac_password, hashed_password)

src/app/infrastructure/adapters/types.py

@@ -1,5 +1,7 @@
+from concurrent.futures import ThreadPoolExecutor
 from typing import NewType
 
 from sqlalchemy.ext.asyncio import AsyncSession
 
 MainAsyncSession = NewType("MainAsyncSession", AsyncSession)
+HasherThreadPoolExecutor = NewType("HasherThreadPoolExecutor", ThreadPoolExecutor)

src/app/infrastructure/auth/handlers/change_password.py

@@ -62,10 +62,13 @@ async def execute(self, request_data: ChangePasswordRequest) -> None:
         if current_password == new_password:
             raise AuthenticationChangeError(AUTH_PASSWORD_NEW_SAME_AS_CURRENT)
 
-        if not self._user_service.is_password_valid(current_user, current_password):
+        if not await self._user_service.is_password_valid(
+            current_user,
+            current_password,
+        ):
             raise ReAuthenticationError(AUTH_PASSWORD_INVALID)
 
-        self._user_service.change_password(current_user, new_password)
+        await self._user_service.change_password(current_user, new_password)
         await self._transaction_manager.commit()
 
         log.info("Change password: done. User ID: '%s'.", current_user.id_.value)

src/app/infrastructure/auth/handlers/sign_up.py

@@ -74,7 +74,7 @@ async def execute(self, request_data: SignUpRequest) -> SignUpResponse:
         username = Username(request_data.username)
         password = RawPassword(request_data.password)
 
-        user = self._user_service.create_user(username, password)
+        user = await self._user_service.create_user(username, password)
 
         self._user_command_gateway.add(user)