core: centralize password hash validation

2026-04-25 17:15:26 +02:00 · 2026-04-22 20:41:53 -04:00
parent 4d91a82b4c
commit ce67c4c1ac
2 changed files with 7 additions and 3 deletions
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@@ -6,7 +6,6 @@ from json import loads
 from typing import Any

 from django.contrib.auth import update_session_auth_hash
-from django.contrib.auth.hashers import identify_hasher
 from django.contrib.auth.models import AnonymousUser, Permission
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
@@ -244,7 +243,7 @@ class UserSerializer(ModelSerializer):
        if password_hash is None:
            return
        try:
-            identify_hasher(password_hash)
+            User.validate_password_hash(password_hash)
        except ValueError as exc:
            LOGGER.warning("Failed to identify password hash format", exc_info=exc)
            raise ValidationError(_invalid_password_hash_message()) from exc
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@@ -580,6 +580,11 @@ class User(SerializerModel, AttributesMixin, AbstractUser):
        self.password_change_date = now()
        return super().set_password(raw_password)

+    @staticmethod
+    def validate_password_hash(password_hash: str):
+        """Validate that the value is a recognized Django password hash."""
+        identify_hasher(password_hash)  # Raises ValueError if invalid
+
    def set_password_from_hash(self, password_hash: str, signal=True, sender=None, request=None):
        """Set password directly from a pre-hashed value.

@@ -594,7 +599,7 @@ class User(SerializerModel, AttributesMixin, AbstractUser):
        """
        from authentik.core.signals import PASSWORD_SOURCE_HASH

-        identify_hasher(password_hash)  # Raises ValueError if invalid
+        self.validate_password_hash(password_hash)
        self._send_password_changed_signal(
            None,
            signal,