feat: Hash passwords during user creation and login

Karelak · Karelak · commit 28a57a89dbde · 2026-02-09T00:24:52.000Z
diff --git a/src/meeting_room_manager/routes/admin.py b/src/meeting_room_manager/routes/admin.py
@@ -1,4 +1,5 @@
 from flask import Blueprint, redirect, url_for, session, flash, render_template
+from werkzeug.security import generate_password_hash
 from ..models import db, User, Room
 from ..utils.helpers import is_logged_in, get_current_user
 from ..forms import SetupForm, AdminCreateUserForm, AdminCreateRoomForm
@@ -33,7 +34,11 @@ def setup():
 
         try:
             user = User(
-                fname=fname, lname=lname, email=email, password=password, role="admin"
+                fname=fname,
+                lname=lname,
+                email=email,
+                password=generate_password_hash(password),
+                role="admin",
             )
             db.session.add(user)
             db.session.commit()
@@ -79,7 +84,11 @@ def admin_create_user():
 
         try:
             user = User(
-                fname=fname, lname=lname, email=email, password=password, role=role
+                fname=fname,
+                lname=lname,
+                email=email,
+                password=generate_password_hash(password),
+                role=role,
             )
             db.session.add(user)
             db.session.commit()
diff --git a/src/meeting_room_manager/routes/auth.py b/src/meeting_room_manager/routes/auth.py
@@ -6,6 +6,7 @@
     session,
     flash,
 )
+from werkzeug.security import check_password_hash, generate_password_hash
 from ..models import User, db
 from ..forms import LoginForm, VerifyOTPForm
 from ..utils.otp import generate_otp, get_otp_expiry
@@ -29,7 +30,16 @@ def login():
         password = form.password.data
         user = User.query.filter_by(email=email).first()
 
-        if user and user.password == password:
+        password_ok = False
+        if user:
+            if check_password_hash(user.password, password):
+                password_ok = True
+            elif user.password == password:
+                user.password = generate_password_hash(password)
+                db.session.commit()
+                password_ok = True
+
+        if password_ok:
             # Generate OTP and send email
             otp_code = generate_otp()
             otp_expiry = get_otp_expiry(minutes=5)
