[Fix] passlib 제거 및 bcrypt 직접 사용으로 호환성 문제 해결#86
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughPassword hashing was switched from Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related issues
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
pyproject.toml (1)
24-24: Align the directbcryptversion floor with the effective minimum (>=4.0.1).Line 24 currently declares
bcrypt>=4.0, butchromadb~=1.5requiresbcrypt>=4.0.1(confirmed in chromadb's PyPI metadata). Matching the direct spec prevents resolver ambiguity and metadata drift.Proposed diff
- "bcrypt>=4.0", + "bcrypt>=4.0.1",🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@pyproject.toml` at line 24, Update the bcrypt dependency floor in pyproject.toml from "bcrypt>=4.0" to "bcrypt>=4.0.1" so it matches chromadb's required minimum and avoids resolver ambiguity; modify the bcrypt entry in pyproject.toml accordingly and then regenerate your lockfile (or run the dependency resolver) to ensure the effective metadata matches the declared constraint.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/core/security.py`:
- Around line 16-19: The try/except in verify_password currently swallows all
exceptions from bcrypt.checkpw; change it to catch only expected input/hash
errors (e.g., ValueError and TypeError) and any bcrypt-specific invalid-hash
exception if available (import and include bcrypt.errors.InvalidSalt or
bcrypt.errors.InvalidHash when present) so malformed/invalid hash inputs return
False while other unexpected exceptions are allowed to propagate or get logged;
update the exception clause around bcrypt.checkpw(plain_password.encode(),
hashed_password.encode()) in verify_password accordingly.
---
Nitpick comments:
In `@pyproject.toml`:
- Line 24: Update the bcrypt dependency floor in pyproject.toml from
"bcrypt>=4.0" to "bcrypt>=4.0.1" so it matches chromadb's required minimum and
avoids resolver ambiguity; modify the bcrypt entry in pyproject.toml accordingly
and then regenerate your lockfile (or run the dependency resolver) to ensure the
effective metadata matches the declared constraint.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 9d399cb2-42de-4279-9a26-2e2faf02f0ed
⛔ Files ignored due to path filters (1)
uv.lockis excluded by!**/*.lock
📒 Files selected for processing (2)
pyproject.tomlsrc/core/security.py
1 participant
어떤 변경사항인가요?
작업 상세 내용
src/core/security.py—passlib.CryptContext제거,bcrypt.hashpw/bcrypt.checkpw직접 사용으로 교체pyproject.toml—passlib[bcrypt]>=1.7제거,bcrypt>=4.0명시체크리스트
관련 이슈
리뷰 포인트
verify_password에서 bcrypt 예외를except Exception으로 처리 — bcrypt가 잘못된 해시 포맷 등에서 다양한 예외를 던지기 때문$2b$prefix 포맷이 동일하므로 하위 호환 문제 없음참고사항 및 스크린샷(선택)
chromadb>=1.5가bcrypt>=4.0.1을 의존하므로 passlib 버전 다운그레이드 방식으로는 해결 불가Summary by CodeRabbit