app.pw_models: Refactor, use constant-time equality

app/pw_models.py

@@ -9,20 +9,16 @@ _NORMALIZATION_FORM = "NFKC"
 
 
 class PasswordOracle:
-    salt = db.Column(db.String(128), nullable=True)
     password = db.Column(db.String(128), nullable=True)
 
     def set_password(self, password):
         password = unicodedata.normalize(_NORMALIZATION_FORM, password)
         salt = bcrypt.gensalt()
-        password_hash = bcrypt.hashpw(password.encode(), salt).decode()
-        self.salt = salt.decode()
-        self.password = password_hash
+        self.password = bcrypt.hashpw(password.encode(), salt).decode()
 
     def check_password(self, password) -> bool:
         if not self.password:
             return False
 
         password = unicodedata.normalize(_NORMALIZATION_FORM, password)
-        password_hash = bcrypt.hashpw(password.encode(), self.salt.encode())
-        return self.password.encode() == password_hash
+        return bcrypt.checkpw(password.encode(), self.password.encode())

migrations/versions/2021_052917_a5eb5158c4d7_.py

@@ -0,0 +1,29 @@
+"""empty message
+
+Revision ID: a5eb5158c4d7
+Revises: 68e2f38e33f4
+Create Date: 2021-05-29 17:41:32.149720
+
+"""
+import sqlalchemy_utils
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = 'a5eb5158c4d7'
+down_revision = '68e2f38e33f4'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_column('users', 'salt')
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column('users', sa.Column('salt', sa.VARCHAR(length=128), autoincrement=False, nullable=True))
+    # ### end Alembic commands ###