Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability audit for 0.7.0 & Removal of passlib as dependency #185

Merged
merged 4 commits into from
Oct 1, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ rosalution-annotation-log.txt*
*.graphql

**/node_modules/**
**/.vite/**

# e2e run captures
/system-tests/cypress/downloads
Expand Down
10 changes: 8 additions & 2 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,17 @@
<!-- markdownlint-disable-file MD024 -->
# Changelog

## 0.7.0 - latest
## 0.7.0

### Features

### Bug Fixes
- Support for attaching documents, URLs, and Images to fields on an Analysis landing page.
- HTTPs by default for deployments
- Versioning for Annotations as dictated by configuration
- Analyses have a version manifest of annotation's dataset, source, and version
- Render's annotations for an analysis according to it's version manifest
- Timestamped discussions for analyses to which allow users to create, update, and remove text-based
messages to each other within an analysis.

## 0.6.0

Expand Down
2 changes: 1 addition & 1 deletion backend/requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ jq==1.6.0

python-multipart==0.0.7
PyJWT[crypto]==2.8.0
passlib[bcrypt]==1.7.4
bcrypt==4.2.0

# dev
pytest-cov==4.0.0
Expand Down
14 changes: 8 additions & 6 deletions backend/src/security/security.py
Original file line number Diff line number Diff line change
Expand Up @@ -14,15 +14,12 @@
from fastapi import Depends, HTTPException, Response, status
from fastapi.security import SecurityScopes

from passlib.context import CryptContext
import bcrypt

from ..dependencies import oauth2_scheme

# from ..models.token import TokenData
from ..config import Settings, get_settings

pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")

SECURITY_SCOPES = {
"pre-clinical-intake": "Pre-Clinical Intake",
"bioinformatics-section-user": "Bioinformatics Section User",
Expand Down Expand Up @@ -56,12 +53,17 @@ def create_access_token(

def get_password_hash(password):
"""Takes the plain password and makes a hash from it using CryptContext"""
return pwd_context.hash(password)
pwd_bytes = password.encode('utf-8')
salt = bcrypt.gensalt()
hashed_password = bcrypt.hashpw(password=pwd_bytes, salt=salt)
return hashed_password


def verify_password(plain_password, hashed_password):
"""This will use the CryptContext to hash the plain password and check against the stored pass hash to verify"""
return pwd_context.verify(plain_password, hashed_password)
password_byte_encoded = plain_password.encode('utf-8')
hashed_password = hashed_password.encode('utf-8')
return bcrypt.checkpw(password=password_byte_encoded, hashed_password=hashed_password)


def authenticate_password(user: Optional[dict], password: str):
Expand Down
12 changes: 6 additions & 6 deletions frontend/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -25,16 +25,16 @@
"vue-router": "4.2.5"
},
"devDependencies": {
"@vitejs/plugin-vue": "5.0.5",
"@vitest/coverage-v8": "1.6.0",
"@vitest/ui": "1.6.0",
"@vitejs/plugin-vue": "5.1.4",
"@vitest/coverage-v8": "2.1.1",
"@vitest/ui": "2.1.1",
"@vue/test-utils": "2.4.1",
"eslint": "8.50.0",
"eslint-config-google": "0.14.0",
"eslint-plugin-vue": "9.17.0",
"happy-dom": "14.12.3",
"sinon": "16.0.0",
"vite": "5.3.2",
"vitest": "1.6.0"
"sinon": "19.0.2",
"vite": "5.4.8",
"vitest": "2.1.1"
}
}
3 changes: 3 additions & 0 deletions frontend/vite.config.js
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ export default defineConfig({
functions: 80,
branches: 80,
},
sequence: {
hooks: 'parallel',
},
},
resolve: {
alias: {
Expand Down
1,177 changes: 627 additions & 550 deletions frontend/yarn.lock

Large diffs are not rendered by default.

Loading