Skip to content

♻️ Replace passlib with pwdlib #1941

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

♻️ Replace passlib with pwdlib #1941

wants to merge 4 commits into from
+173 −39

Conversation

@4sushi
Copy link

@4sushi 4sushi commented Oct 20, 2025

Replace hash library passlib by pwdlib, since passlib is not stable.
Pwdlib is used by fastapi.

Related PR

#1539

@YuriiMotov YuriiMotov changed the title ♻️ Replace passlib by pwdlib ♻️ Replace passlib with pwdlib Oct 20, 2025
YuriiMotov

This comment was marked as outdated.

Sign in to view

@YuriiMotov YuriiMotov dismissed their stale review October 20, 2025 12:45

Changes are needed

YuriiMotov
YuriiMotov requested changes Oct 20, 2025
View reviewed changes
Copy link
Member

@YuriiMotov YuriiMotov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@4sushi, thanks for your interest!

Since we change the hashing algorithm, this changes will be breaking for existing projects.
I think we should keep supporting Bcrypt for existing password hashes, but use Argon2 for new as it's explained in docs: https://frankie567.github.io/pwdlib/guide/#password-hashing

@ceb10n
Copy link

ceb10n commented Nov 16, 2025

It should be very straightforward to keep bcrypt support based on to the docs @YuriiMotov shared, @4sushi 😄

You just need to update pyproject.toml:

"pwdlib[argon2,bcrypt]>=0.2.1",

And in security.py, import and configure both hashers:

from pwdlib import PasswordHash
from pwdlib.hashers.argon2 import Argon2Hasher
from pwdlib.hashers.bcrypt import BcryptHasher

password_hash = PasswordHash(
    (
        Argon2Hasher(),
        BcryptHasher(),
    )
)

All tests will pass:

image

@github-actions github-actions bot removed the waiting label Nov 16, 2025
YuriiMotov
YuriiMotov approved these changes Nov 19, 2025
View reviewed changes
Copy link
Member

@YuriiMotov YuriiMotov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Changes are not breaking - we support existing passwords hashed with bcrypt, but generate new passwords using argon2. Tested it locally.

Thanks @4sushi for initial work!
Thanks @ceb10n for review!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@YuriiMotov YuriiMotov YuriiMotov approved these changes

Assignees

No one assigned

Labels

refactor

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@4sushi @ceb10n @YuriiMotov