# HG changeset patch
# User Mads Kiilerich <mads@kiilerich.com>
# Date 2017-06-11 15:02:09
# Node ID 30d61922f24eb144190052818c3fc6a24562f42b
# Parent  b99cd2bc7540bfde8f017ae0b8e7519e4d937365

auth: fix crash on invalid bcrypt password

When an invalid password was specified, it would with an exception:

  File "kallithea/lib/auth.py", in check_password
    return bcrypt.checkpw(safe_str(password), safe_str(hashed))
  ValueError: Invalid hashed_password salt

We do apparently have to catch ValueError and treat it as "invalid password".

diff --git a/kallithea/lib/auth.py b/kallithea/lib/auth.py
--- a/kallithea/lib/auth.py
+++ b/kallithea/lib/auth.py
@@ -121,7 +121,13 @@ def check_password(password, hashed):
         return hashlib.sha256(password).hexdigest() == hashed
     elif is_unix:
         import bcrypt
-        return bcrypt.checkpw(safe_str(password), safe_str(hashed))
+        print (safe_str(password), safe_str(hashed))
+        try:
+            return bcrypt.checkpw(safe_str(password), safe_str(hashed))
+        except ValueError as e:
+            # bcrypt will throw ValueError 'Invalid hashed_password salt' on all password errors
+            log.error('error from bcrypt checking password: %s', e)
+            return False
     else:
         raise Exception('Unknown or unsupported platform %s' \
                         % __platform__)