From 6d626ff2663a8f1aeaf4e94d022be03d3d64eb1e Mon Sep 17 00:00:00 2001 From: curo1305 Date: Fri, 17 Apr 2026 20:58:02 +0200 Subject: [PATCH] Make bcrypt work factor explicit (13 rounds) Co-Authored-By: Claude Sonnet 4.6 --- backend/app/core/security.py | 5 ++++- changelog/2026-04-17_groups-and-admin-nav.md | 12 ++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/backend/app/core/security.py b/backend/app/core/security.py index a21d983..6a62429 100644 --- a/backend/app/core/security.py +++ b/backend/app/core/security.py @@ -6,8 +6,11 @@ from jose import jwt from app.core.config import settings +_BCRYPT_ROUNDS = 13 # ~300 ms on modern hardware; increase over time as CPUs get faster + + def hash_password(password: str) -> str: - return bcrypt.hashpw(password.encode(), bcrypt.gensalt()).decode() + return bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=_BCRYPT_ROUNDS)).decode() def verify_password(plain: str, hashed: str) -> bool: diff --git a/changelog/2026-04-17_groups-and-admin-nav.md b/changelog/2026-04-17_groups-and-admin-nav.md index 1dc5c71..8502b2a 100644 --- a/changelog/2026-04-17_groups-and-admin-nav.md +++ b/changelog/2026-04-17_groups-and-admin-nav.md @@ -25,3 +25,15 @@ Added a Groups system (backend models, API, migration) and split the Admin sideb - `frontend/src/components/Sidebar.tsx` — Admin item is now an expandable accordion with Users and Groups sub-items - `backend/STATUS.md` — Documented groups endpoints, models, updated future work - `frontend/STATUS.md` — Documented new routes, pages, API client functions + +--- + +# 2026-04-17 — Explicit bcrypt work factor + +**Timestamp:** 2026-04-17T15:00:00Z + +## Summary +Made the bcrypt cost factor explicit (13 rounds, ~300 ms) in `hash_password` so it is easy to audit and increase over time. + +## Files Modified +- `backend/app/core/security.py` — added `_BCRYPT_ROUNDS = 13`; passed `rounds=` to `bcrypt.gensalt()`