PyPI - plain.auth - Versions diffs - 0.17.0__tar.gz → 0.18.0__tar.gz - Mend

plain.auth 0.17.0tar.gz → 0.18.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

{plain_auth-0.17.0 → plain_auth-0.18.0}/.gitignore RENAMED Viewed

@@ -11,8 +11,6 @@ plain*/tests/.plain
 # Ottobot
 .aider*
-/llms-full.txt
 # Plain temp dirs
 .plain

{plain_auth-0.17.0 → plain_auth-0.18.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plain.auth
-Version: 0.17.0
+Version: 0.18.0
 Summary: Add users to your app and decide what they can access.
 Author-email: Dave Gaeddert <dave.gaeddert@dropseed.dev>
 License-File: LICENSE

{plain_auth-0.17.0 → plain_auth-0.18.0}/plain/auth/CHANGELOG.md RENAMED Viewed

@@ -1,5 +1,15 @@
 # plain-auth changelog
+## [0.18.0](https://github.com/dropseed/plain/releases/plain-auth@0.18.0) (2025-09-19)
+### What's changed
+- Removed deprecated `constant_time_compare` utility function, replaced with Python's built-in `hmac.compare_digest()` for improved security in session management ([55f3f55](https://github.com/dropseed/plain/commit/55f3f5596d))
+### Upgrade instructions
+- No changes required
 ## [0.17.0](https://github.com/dropseed/plain/releases/plain-auth@0.17.0) (2025-09-12)
 ### What's changed

{plain_auth-0.17.0 → plain_auth-0.18.0}/plain/auth/sessions.py RENAMED Viewed

@@ -1,7 +1,10 @@
+import hmac
 from plain.exceptions import ImproperlyConfigured
 from plain.models import models_registry
 from plain.runtime import settings
-from plain.utils.crypto import constant_time_compare, salted_hmac
+from plain.utils.crypto import salted_hmac
+from plain.utils.encoding import force_bytes
 USER_ID_SESSION_KEY = "_auth_user_id"
 USER_HASH_SESSION_KEY = "_auth_user_hash"
@@ -60,8 +63,9 @@ def login(request, user):
             # session if the existing session corresponds to a different
             # authenticated user.
             request.session.flush()
-        elif session_auth_hash and not constant_time_compare(
-            request.session.get(USER_HASH_SESSION_KEY, ""), session_auth_hash
+        elif session_auth_hash and not hmac.compare_digest(
+            force_bytes(request.session.get(USER_HASH_SESSION_KEY, "")),
+            force_bytes(session_auth_hash),
         ):
             # If the session hash does not match the current hash, reset the
             # session. Most likely this means the password was changed.
@@ -131,15 +135,17 @@ def get_user(request):
             session_hash_verified = False
         else:
             session_auth_hash = get_session_auth_hash(user)
-            session_hash_verified = constant_time_compare(
-                session_hash, session_auth_hash
+            session_hash_verified = hmac.compare_digest(
+                force_bytes(session_hash), force_bytes(session_auth_hash)
             )
         if not session_hash_verified:
             # If the current secret does not verify the session, try
             # with the fallback secrets and stop when a matching one is
             # found.
             if session_hash and any(
-                constant_time_compare(session_hash, fallback_auth_hash)
+                hmac.compare_digest(
+                    force_bytes(session_hash), force_bytes(fallback_auth_hash)
+                )
                 for fallback_auth_hash in get_session_auth_fallback_hash(user)
             ):
                 request.session.cycle_key()

{plain_auth-0.17.0 → plain_auth-0.18.0}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "plain.auth"
-version = "0.17.0"
+version = "0.18.0"
 description = "Add users to your app and decide what they can access."
 authors = [{name = "Dave Gaeddert", email = "dave.gaeddert@dropseed.dev"}]
 readme = "README.md"