Argon Conversion (#421)

DMalone87 · Mike Yavorsky · web-flow · commit 0be77d3c562f · 2025-02-17T20:56:36.000-06:00
* Argon Conversion - 1st Attempt
Attempting to convert the password hashing to argon2. This is the first
attempt at the conversion.
It appears that the API function was completely broken by this attempt
and no API calls are accepted. The API is returning a 403 error for all
requests.

* Fix port assignment

* Remove jupyter from backend reqs

* Flake8 Corrections

* import password hasher and avoid fixture for app context

* fix flake8 issue

* use cffi 1.17.1

* Remove platform specification

* Update reqs

---------

Co-authored-by: Mike Yavorsky &lt;mikeyavorsky@fastmail.com&gt;
diff --git a/.env.template b/.env.template
@@ -4,7 +4,7 @@ GRAPH_DB=police_data
 GRAPH_URI=db
 GRAPH_NM_URI=db:7687
 GRAPH_PORT=5432
-NPDI_API_PORT=5000
+NPDI_API_PORT=5001
 MIXPANEL_TOKEN=your_mixpanel_token
 MAIL_SERVER=mail.yourdomain.com
 MAIL_PORT=465
diff --git a/backend/Dockerfile b/backend/Dockerfile
@@ -7,30 +7,30 @@ RUN apt-get update -y && apt-get install -y \
     libpq-dev \
     gcc \
     python3-dev \
-    libffi-dev
+    libffi-dev \
+    build-essential \
+    && rm -rf /var/lib/apt/lists/*
 
 # Install Rust
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
 ENV PATH="/root/.cargo/bin:${PATH}"
 
-
+# Add docker-compose-wait (if still needed)
 ADD https://github.com/ufoscout/docker-compose-wait/releases/download/2.12.1/wait /wait
 RUN chmod +x /wait
 
-
 FROM base
 WORKDIR /app/
 
-ARG NPDI_API_PORT=5000
-
 RUN pip3 install --upgrade pip
 
 COPY requirements/ requirements/
-
 RUN pip3 install -r requirements/dev_unix.txt
+
 COPY . .
 
-ENV PORT=$NPDI_API_PORT
+ARG NPDI_API_PORT=5001
+ENV NPDI_API_PORT=$NPDI_API_PORT
+EXPOSE $NPDI_API_PORT
 
 CMD /wait && ./run_dev.sh
-
diff --git a/backend/Dockerfile.cloud b/backend/Dockerfile.cloud
@@ -1,7 +1,6 @@
 # Stage 1: Build Stage
 FROM python:3-slim-bookworm AS build
 
-# Install required packages
 RUN apt-get update -y && apt-get install -y \
     gcc \
     g++ \
@@ -13,21 +12,13 @@ RUN apt-get update -y && apt-get install -y \
     && rm -rf /var/lib/apt/lists/*
 
 # Install Rust
-RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y \
-    && . "$HOME/.cargo/env"
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
 ENV PATH="/root/.cargo/bin:${PATH}"
 
 WORKDIR /app/
 
+# Instead of manually downloading a wheel, rely on pip:
 COPY requirements/prod.txt .
-
-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
-RUN arch=$(arch) && \
-    file=pandas-2.2.2-cp312-cp312-manylinux_2_17_${arch}.manylinux2014_${arch}.whl && \
-    url="https://pypi.debian.net/pandas/${file}" && \
-    wget ${url} && \
-    sed -i "s/pandas==2.2.2/${file}/" prod.txt
-
 RUN pip install --no-cache-dir --user -r prod.txt
 
 COPY . .
@@ -42,12 +33,11 @@ ARG NPDI_API_PORT=5000
 # Copy installed packages from the build stage
 COPY --from=build /root/.local /root/.local
 
-# Update PATH to include pip-installed packages
 ENV PATH=/root/.local/bin:${PATH}
 
 COPY . .
 
 EXPOSE $NPDI_API_PORT
 ENV NPDI_API_PORT=$NPDI_API_PORT
 
-ENTRYPOINT [ "./run_cloud.sh" ]
+ENTRYPOINT ["./run_cloud.sh"]
diff --git a/backend/api.py b/backend/api.py
@@ -4,6 +4,7 @@
 from flask import Flask
 from flask_mail import Mail
 from flask_cors import CORS
+from argon2 import PasswordHasher
 from backend.config import get_config_from_env
 from backend.auth import jwt, refresh_token
 from backend.schemas import spec
@@ -46,7 +47,7 @@ def register_extensions(app: Flask):
     # Neo4j setup
     # Driver setup
     db_driver = GraphDatabase.driver(
-        f"bolt://{app.config["GRAPH_NM_URI"]}",
+        f'bolt://{app.config["GRAPH_NM_URI"]}',
         auth=(
             app.config["GRAPH_USER"],
             app.config["GRAPH_PASSWORD"]
@@ -70,10 +71,12 @@ def register_extensions(app: Flask):
     neo_config.DATABASE_URL = neo_url
 
     spec.register(app)
-    # login_manager.init_app(app)
-    # TODO: Add the correct route info
-    # login_manager.login_view = 'auth.login'
+
+    # Authentication
+    ph = PasswordHasher()
+    app.config['PASSWORD_HASHER'] = ph
     jwt.init_app(app)
+
     Mail(app)
     CORS(app, resources={r"/api/*": {"origins": "*"}})
 
diff --git a/backend/database/models/user.py b/backend/database/models/user.py
@@ -1,6 +1,7 @@
 """Define the SQL classes for Users."""
 
-from werkzeug.security import generate_password_hash, check_password_hash
+from flask import current_app
+from argon2 import exceptions as argon2_exceptions
 from backend.schemas import JsonSerializable, PropertyEnum
 from neomodel import (
     Relationship, StructuredNode,
@@ -68,6 +69,14 @@ class User(StructuredNode, JsonSerializable):
         'backend.database.models.source.StagedInvitation',
         "EXTENDED")
 
+    def _get_password_hasher(self):
+        """
+        Get the password hasher.
+        Returns:
+            PasswordHasher: The password hasher.
+        """
+        return current_app.config['PASSWORD_HASHER']
+
     def verify_password(self, pw: str) -> bool:
         """
         Verify the user's password using bcrypt.
@@ -77,16 +86,22 @@ def verify_password(self, pw: str) -> bool:
         Returns:
             bool: True if the password is correct, False otherwise.
         """
-        # return bcrypt.checkpw(pw.encode("utf8"), self.password.encode("utf8"))
-        return check_password_hash(self.password_hash, pw)
+        try:
+            return self._get_password_hasher().verify(self.password_hash, pw)
+        except argon2_exceptions.VerifyMismatchError:
+            return False
+        except argon2_exceptions.VerificationError:
+            return False
+        except argon2_exceptions.InvalidHash:
+            return False
 
     def set_password(self, pw: str):
         """
         Set the user's password.
         Args:
             pw (str): The password to set.
         """
-        self.password_hash = User.hash_password(pw)
+        self.password_hash = self.hash_password(pw)
 
     def send_email_verification(self):
         """
@@ -119,7 +134,7 @@ def hash_password(cls, pw: str) -> str:
         Returns:
             str: The hashed password.
         """
-        return generate_password_hash(pw)
+        return current_app.config['PASSWORD_HASHER'].hash(pw)
 
     @classmethod
     def get_by_email(cls, email: str) -> "User":
diff --git a/backend/routes/auth.py b/backend/routes/auth.py
@@ -69,6 +69,7 @@ def register():
     """
     logger = logging.getLogger("user_register")
     body: RegisterUserDTO = request.validated_body
+    logger.info(f"Registering user with email {body.email}.")
 
     # Check to see if user already exists
     user = User.nodes.first_or_none(email=body.email)
diff --git a/backend/tests/test_auth.py b/backend/tests/test_auth.py
@@ -1,9 +1,12 @@
 import pytest
 from backend.database.models.user import User, UserRole
+from argon2 import PasswordHasher
+
+ph = PasswordHasher()
 
 mock_user = {
     "email": "existing@email.com",
-    "password_hash": User.hash_password("my_password"),
+    "password_hash": ph.hash("my_password"),
     "first_name": "John",
     "last_name": "Doe",
     "phone_number": "1234567890",
@@ -20,8 +23,12 @@ def existing_user():
 
 @pytest.mark.parametrize(
     (
-        "email", "password", "firstname", "lastname",
-        "phone_number", "expected_status_code"
+        "email",
+        "password",
+        "firstname",
+        "lastname",
+        "phone_number",
+        "expected_status_code",
     ),
     [
         ("new_user@email.com", "my_password", "John", "Doe", "1234567890", 200),
@@ -31,9 +38,14 @@ def existing_user():
     ],
 )
 def test_register(
-    client, existing_user, email, password,
-    firstname, lastname, phone_number,
-    expected_status_code
+    client,
+    existing_user,
+    email,
+    password,
+    firstname,
+    lastname,
+    phone_number,
+    expected_status_code,
 ):
     res = client.post(
         "api/v1/auth/register",
@@ -43,7 +55,7 @@ def test_register(
             "firstname": firstname,
             "lastname": lastname,
             "phone_number": phone_number,
-        }
+        },
     )
 
     assert res.status_code == expected_status_code
@@ -68,8 +80,7 @@ def test_register(
     [("my_password", 200), ("bad_password", 401), (None, 422)],
 )
 def test_login(
-    db_session,
-    client, example_user, password, expected_status_code
+    db_session, client, example_user, password, expected_status_code
 ):
     res = client.post(
         "api/v1/auth/login",
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -43,7 +43,7 @@ services:
       context: .
       dockerfile: ./backend/Dockerfile
       args:
-        NPDI_API_PORT: ${NPDI_API_PORT:-5000}
+        NPDI_API_PORT: ${NPDI_API_PORT:-5001}
     volumes:
       - .:/app
     depends_on:
@@ -57,7 +57,7 @@ services:
       MIXPANEL_TOKEN: ${MIXPANEL_TOKEN:-notset}
       WAIT_HOSTS: db:7687
     ports:
-      - ${NPDI_API_PORT:-5000}:${NPDI_API_PORT:-5000}
+      - ${NPDI_API_PORT:-5001}:${NPDI_API_PORT:-5001}
 volumes:
   neo4j: {}
   neo4j_logs: {}
diff --git a/requirements/Dockerfile b/requirements/Dockerfile
@@ -1,24 +1,21 @@
-# psycopg requires postgres development files in order to compile the
-# requirements, so this image starts with the same image as the database
-# containers and installs the same version of python as the api containers
-
-FROM postgres:17 as base
+FROM python:3-slim-bookworm
 
+# Install packages required to build Python and extensions
 RUN apt-get update && apt-get install -y \
-    make build-essential libssl-dev zlib1g-dev libbz2-dev libreadline-dev \
-    libsqlite3-dev wget curl llvm libncursesw5-dev xz-utils tk-dev \
-    libxml2-dev libxmlsec1-dev libffi-dev liblzma-dev git
-
-FROM base
+    curl wget git make build-essential libssl-dev zlib1g-dev libbz2-dev \
+    libreadline-dev libsqlite3-dev llvm libncursesw5-dev xz-utils tk-dev \
+    libxml2-dev libxmlsec1-dev libffi-dev liblzma-dev ca-certificates \
+    libopenblas-dev gfortran \
+    && rm -rf /var/lib/apt/lists/*
 
-SHELL ["bash", "-lc"]
-RUN curl https://pyenv.run | bash && \
-    echo 'export PATH="$HOME/.pyenv/shims:$HOME/.pyenv/bin:$PATH"' >> ~/.bashrc
+# Install Rust and Cargo for packages requiring Rust
+RUN curl https://sh.rustup.rs -sSf | sh -s -- -y
+ENV PATH="/root/.cargo/bin:${PATH}"
 
-ENV PYTHON_VERSION=3.13.0
-RUN pyenv install ${PYTHON_VERSION} && pyenv global ${PYTHON_VERSION}
-RUN pip install -U pip-tools
+# Upgrade pip and install pip-tools
+RUN pip install --no-cache-dir -U pip pip-tools
 
+# Copy requirements directory and run the update script
 COPY . requirements/
 
-CMD python requirements/update.py
+CMD python requirements/update.py
diff --git a/requirements/_core.in b/requirements/_core.in
@@ -1,3 +1,4 @@
+argon2-cffi
 bcrypt
 black
 boto3
@@ -28,9 +29,9 @@ openpyxl
 xlsxwriter
 numpy
 spectree
-jupyter
 mixpanel
 ua-parser
 ujson
 neo4j
 neomodel==5.3.3
+cffi==1.17.1
diff --git a/requirements/dev_unix.txt b/requirements/dev_unix.txt
diff --git a/requirements/dev_windows.txt b/requirements/dev_windows.txt
diff --git a/requirements/docs.txt b/requirements/docs.txt
diff --git a/requirements/prod.txt b/requirements/prod.txt
diff --git a/run_dev.sh b/run_dev.sh
