Store the users hashed password using bcrypt instead of the plaintext…

twitter/requirements.txt

@@ -1 +1,2 @@
-reflex>=0.4.0
+bcrypt>=4.2.0
+reflex>=0.5.10

twitter/twitter/db_model.py

@@ -1,6 +1,5 @@
-from sqlmodel import Field
-
 import reflex as rx
+from sqlmodel import Field
 
 
 class Follows(rx.Model, table=True):
@@ -17,7 +16,7 @@ class User(rx.Model, table=True):
     """A table of Users."""
 
     username: str
-    password: str
+    password: bytes
 
 
 class Tweet(rx.Model, table=True):
@@ -26,4 +25,4 @@ class Tweet(rx.Model, table=True):
     content: str
     created_at: str
 
-    author: str
+    author: str

twitter/twitter/state/auth.py

@@ -1,4 +1,6 @@
 """The authentication state."""
+
+import bcrypt
 import reflex as rx
 from sqlmodel import select
 
@@ -19,7 +21,10 @@ def signup(self):
                 return rx.window_alert("Passwords do not match.")
             if session.exec(select(User).where(User.username == self.username)).first():
                 return rx.window_alert("Username already exists.")
-            self.user = User(username=self.username, password=self.password)
+            hashed_password = bcrypt.hashpw(
+                self.password.encode("utf-8"), bcrypt.gensalt()
+            )
+            self.user = User(username=self.username, password=hashed_password)
             session.add(self.user)
             session.expire_on_commit = False
             session.commit()
@@ -31,7 +36,7 @@ def login(self):
             user = session.exec(
                 select(User).where(User.username == self.username)
             ).first()
-            if user and user.password == self.password:
+            if user and bcrypt.checkpw(self.password.encode("utf-8"), user.password):
                 self.user = user
                 return rx.redirect("/")
             else: