refactor(auth): centralize token hashing, email validation & admin gating
- app/utils.py: shared valid_email() + now_utc() (one email regex, was duplicated in auth.py and admin.py with a looser "@"-in check elsewhere). - security.hash_token(): one SHA-256 token hasher (was duplicated in auth.py + state.py). - auth.admin_user dependency + count_admins() helper, replacing the inline role checks and the last-admin count query repeated across admin.py/me.py/tags.py.
This commit is contained in:
parent
8ef748c7b8
commit
63701f5344
7 changed files with 84 additions and 65 deletions
|
|
@ -1,3 +1,5 @@
|
|||
import hashlib
|
||||
|
||||
from argon2 import PasswordHasher
|
||||
from cryptography.fernet import Fernet
|
||||
|
||||
|
|
@ -7,6 +9,12 @@ from app.config import settings
|
|||
_ph = PasswordHasher()
|
||||
|
||||
|
||||
def hash_token(raw: str) -> str:
|
||||
"""SHA-256 hex digest for storing single-use tokens (email-link tokens, the setup token)
|
||||
by hash rather than in cleartext. Not a password hash — these are high-entropy randoms."""
|
||||
return hashlib.sha256(raw.encode()).hexdigest()
|
||||
|
||||
|
||||
def hash_password(password: str) -> str:
|
||||
return _ph.hash(password)
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue