chore/refac: bump bcrypt and remove passlib

backend/open_webui/utils/auth.py

@@ -6,7 +6,7 @@ import hmac
 import hashlib
 import requests
 import os
-
+import bcrypt
 
 from cryptography.hazmat.primitives.ciphers.aead import AESGCM
 from cryptography.hazmat.primitives.asymmetric import ed25519
@@ -38,10 +38,7 @@ from open_webui.env import (
 
 from fastapi import BackgroundTasks, Depends, HTTPException, Request, Response, status
 from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
-from passlib.context import CryptContext
-
 
-logging.getLogger("passlib").setLevel(logging.ERROR)
 
 log = logging.getLogger(__name__)
 log.setLevel(SRC_LOG_LEVELS["OAUTH"])
@@ -155,17 +152,23 @@ def get_license_data(app, key):
 
 
 bearer_security = HTTPBearer(auto_error=False)
-pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
 
 
-def verify_password(plain_password, hashed_password):
-    return (
-        pwd_context.verify(plain_password, hashed_password) if hashed_password else None
-    )
+def get_password_hash(password: str) -> str:
+    """Hash a password using bcrypt"""
+    return bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt()).decode("utf-8")
 
 
-def get_password_hash(password):
-    return pwd_context.hash(password)
+def verify_password(plain_password: str, hashed_password: str) -> bool:
+    """Verify a password against its hash"""
+    return (
+        bcrypt.checkpw(
+            plain_password.encode("utf-8"),
+            hashed_password.encode("utf-8"),
+        )
+        if hashed_password
+        else None
+    )
 
 
 def create_token(data: dict, expires_delta: Union[timedelta, None] = None) -> str:

backend/requirements.txt

@@ -6,9 +6,8 @@ itsdangerous==2.2.0
 
 python-socketio==5.13.0
 python-jose==3.4.0
-passlib[bcrypt]==1.7.4
 cryptography
-bcrypt==4.3.0
+bcrypt==5.0.0
 argon2-cffi==25.1.0
 PyJWT[crypto]==2.10.1
 authlib==1.6.3

pyproject.toml

@@ -14,9 +14,8 @@ dependencies = [
 
     "python-socketio==5.13.0",
     "python-jose==3.4.0",
-    "passlib[bcrypt]==1.7.4",
     "cryptography",
-    "bcrypt==4.3.0",
+    "bcrypt==5.0.0",
     "argon2-cffi==25.1.0",
     "PyJWT[crypto]==2.10.1",
     "authlib==1.6.3",