dpgaspar · mamccorm · May 7, 2024 · May 7, 2024 · May 7, 2024
diff --git a/bin/hash_db_password.py b/bin/hash_db_password.py
@@ -38,7 +38,7 @@
 
 for user in users:
     log.info("Hashing password for {0}".format(user.username))
-    user.password = generate_password_hash(user.password)
+    user.password = generate_password_hash(user.password, method='pbkdf2')
     try:
         db.session.merge(user)
         db.session.commit()

diff --git a/flask_appbuilder/baseviews.py b/flask_appbuilder/baseviews.py
@@ -82,8 +82,7 @@ def create_blueprint(
         appbuilder: "AppBuilder",
         endpoint: Optional[str] = None,
         static_folder: Optional[str] = None,
-    ):
-        ...
+    ): ...
 
     def get_uninit_inner_views(self):
         """

diff --git a/flask_appbuilder/console.py b/flask_appbuilder/console.py
@@ -5,6 +5,7 @@
 
     $ fabmanager --help
 """
+
 from io import BytesIO
 import os
 import shutil

diff --git a/flask_appbuilder/security/manager.py b/flask_appbuilder/security/manager.py
@@ -915,7 +915,7 @@ def reset_password(self, userid, password):
             The clear text password to reset and save hashed on the db
         """
         user = self.get_user_by_id(userid)
-        user.password = generate_password_hash(password)
+        user.password = generate_password_hash(password, method="pbkdf2")
         self.update_user(user)
 
     def update_user_auth_stat(self, user, success=True):
@@ -965,7 +965,7 @@ def auth_user_db(self, username, password):
         if user is None or (not user.is_active):
             # Balance failure and success
             check_password_hash(
-                "pbkdf2:sha256:150000$Z3t6fmj2$22da622d94a1f8118"
+                "pbkdf2:150000$Z3t6fmj2$22da622d94a1f8118"
                 "c0976a03d2f18f680bfff877c9a965db9eedc51bc0be87c",
                 "password",
             )

diff --git a/flask_appbuilder/security/mongoengine/manager.py b/flask_appbuilder/security/mongoengine/manager.py
@@ -84,7 +84,9 @@ def add_register_user(
             if hashed_password:
                 register_user.password = hashed_password
             else:
-                register_user.password = generate_password_hash(password)
+                register_user.password = generate_password_hash(
+                    password, method="pbkdf2"
+                )
             register_user.registration_hash = str(uuid.uuid1())
             register_user.save()
             return register_user
@@ -131,7 +133,7 @@ def add_user(
             if hashed_password:
                 user.password = hashed_password
             else:
-                user.password = generate_password_hash(password)
+                user.password = generate_password_hash(password, method="pbkdf2")
             user.save()
             log.info(c.LOGMSG_INF_SEC_ADD_USER, username)
             return user

diff --git a/flask_appbuilder/security/sqla/apis/user/api.py b/flask_appbuilder/security/sqla/apis/user/api.py
@@ -69,10 +69,10 @@ def pre_update(self, item):
         item.changed_on = datetime.now()
         item.changed_by_fk = g.user.id
         if item.password:
-            item.password = generate_password_hash(item.password)
+            item.password = generate_password_hash(item.password, method="pbkdf2")
 
     def pre_add(self, item):
-        item.password = generate_password_hash(item.password)
+        item.password = generate_password_hash(item.password, method="pbkdf2")
 
     @expose("/", methods=["POST"])
     @protect()

diff --git a/flask_appbuilder/security/sqla/manager.py b/flask_appbuilder/security/sqla/manager.py
@@ -137,7 +137,7 @@ def add_register_user(
         if hashed_password:
             register_user.password = hashed_password
         else:
-            register_user.password = generate_password_hash(password)
+            register_user.password = generate_password_hash(password, method="pbkdf2")
         register_user.registration_hash = str(uuid.uuid1())
         try:
             self.get_session.add(register_user)
@@ -224,7 +224,7 @@ def add_user(
             if hashed_password:
                 user.password = hashed_password
             else:
-                user.password = generate_password_hash(password)
+                user.password = generate_password_hash(password, method="pbkdf2")
             self.get_session.add(user)
             self.get_session.commit()
             log.info(c.LOGMSG_INF_SEC_ADD_USER, username)

diff --git a/flask_appbuilder/security/views.py b/flask_appbuilder/security/views.py
@@ -408,7 +408,7 @@ def pre_update(self, item: Any) -> None:
         item.changed_by_fk = g.user.id
 
     def pre_add(self, item: Any) -> None:
-        item.password = generate_password_hash(item.password)
+        item.password = generate_password_hash(item.password, method="pbkdf2")
 
 
 class UserStatsChartView(DirectByChartView):

diff --git a/tests/test_security_api.py b/tests/test_security_api.py
@@ -51,7 +51,7 @@ def _create_test_user(
         user.username = username
         user.email = email
         user.roles = roles
-        user.password = generate_password_hash(password)
+        user.password = generate_password_hash(password, method='pbkdf2')
         self.session.commit()
         return user