Patched test_password.py

test_password.py

@@ -0,0 +1,55 @@
+import time
+import os
+from base64 import b64encode
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
+from cryptography.hazmat.primitives.constant_time import bytes_eq
+from sqli.dao.user import User
+
+def test_password_hashing():
+    # Test data
+    password = "mypassword123"
+    wrong_password = "wrongpassword123"
+
+    # Test new implementation with PBKDF2
+    start_time = time.time()
+    pwd_hash, salt = User._hash_password_v1(password)
+    hash_time = time.time() - start_time
+    print(f"PBKDF2 hash time: {hash_time:.4f} seconds")
+    print(f"PBKDF2 hash example: {pwd_hash}")
+    print(f"PBKDF2 hash length: {len(pwd_hash)}")
+    print(f"Salt length: {len(salt)} bytes")
+
+    # Create a test user
+    test_user = User(
+        id=1,
+        first_name="Test",
+        middle_name=None,
+        last_name="User",
+        username="testuser",
+        pwd_hash=pwd_hash,
+        is_admin=False,
+        salt=salt,
+        password_version=1
+    )
+
+    # Test password verification
+    assert test_user.check_password(password), "Password verification failed for correct password"
+    assert not test_user.check_password(wrong_password), "Password verification succeeded for wrong password"
+
+    # Test timing attack resistance (should take similar time)
+    start_time = time.time()
+    test_user.check_password(password)
+    correct_time = time.time() - start_time
+
+    start_time = time.time()
+    test_user.check_password(wrong_password)
+    wrong_time = time.time() - start_time
+
+    time_diff = abs(correct_time - wrong_time)
+    print(f"Timing difference: {time_diff:.6f} seconds")
+    assert time_diff < 0.1, "Timing difference too large"
+
+    return True
+
+test_password_hashing()