From 4de5c332a3bc32a8fd6899c84b098c35e090eb65 Mon Sep 17 00:00:00 2001
From: emma <hi@emma.cafe>
Date: Mon, 30 Mar 2026 14:43:19 -0400
Subject: [PATCH 1/2] replace passlib with pwdlib for password hashing

- migrate from passlib context to pwdlib PasswordHash
- replace pwd.genword() with secrets-based generator
- update dependencies to use pwdlib with argon2+bcrypt support
---
 backend/btrixcloud/auth.py | 17 +++++++++++++----
 backend/requirements.txt   |  2 +-
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/backend/btrixcloud/auth.py b/backend/btrixcloud/auth.py
index ac287fece5..fc8ebeef9d 100644
--- a/backend/btrixcloud/auth.py
+++ b/backend/btrixcloud/auth.py
@@ -4,8 +4,11 @@
 from uuid import UUID, uuid4
 from datetime import timedelta
 from typing import Optional, Tuple, List
-from passlib import pwd
-from passlib.context import CryptContext
+import string
+import secrets
+from pwdlib import PasswordHash
+from pwdlib.hashers.argon2 import Argon2Hasher
+from pwdlib.hashers.bcrypt import BcryptHasher
 
 from pydantic import BaseModel
 import jwt
@@ -38,7 +41,12 @@
 
 RESET_VERIFY_TOKEN_LIFETIME_MINUTES = 60
 
-PWD_CONTEXT = CryptContext(schemes=["bcrypt"], deprecated="auto")
+PWD_CONTEXT = PasswordHash(
+    (
+        Argon2Hasher(),
+        BcryptHasher(),
+    )
+)
 
 # Audiences
 CUSTOM_AUTH_AUD = "btrix:custom-auth"
@@ -163,7 +171,8 @@ def get_password_hash(password: str) -> str:
 # ============================================================================
 def generate_password() -> str:
     """generate new secure password"""
-    return pwd.genword()
+    alphabet = string.ascii_letters + string.digits
+    return "".join(secrets.choice(alphabet) for i in range(20))
 
 
 # ============================================================================
diff --git a/backend/requirements.txt b/backend/requirements.txt
index 918ff53714..ccfd379cc7 100644
--- a/backend/requirements.txt
+++ b/backend/requirements.txt
@@ -2,7 +2,7 @@ gunicorn
 uvicorn[standard]
 fastapi==0.128.0
 motor
-passlib
+pwdlib[argon2,bcrypt]
 PyJWT==2.8.0
 pydantic==2.12.5
 email-validator

From e62273cef47bbba24d5b07aabe7f4a1dc8ccb4ea Mon Sep 17 00:00:00 2001
From: emma <hi@emma.cafe>
Date: Mon, 30 Mar 2026 16:21:59 -0400
Subject: [PATCH 2/2] allow setuptools to update beyond v82

was previously blocked by passlib (see #3162 and #3163)
---
 backend/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/requirements.txt b/backend/requirements.txt
index ccfd379cc7..d4a9ced19b 100644
--- a/backend/requirements.txt
+++ b/backend/requirements.txt
@@ -29,4 +29,4 @@ remotezip
 json-stream
 aiostream
 iso639-lang>=2.6.0
-setuptools<82.0.0
+setuptools