From 68e1206fc48b5209741cda7b3bedf9adc8a518dd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= <hugo@lysator.liu.se>
Date: Mon, 7 Aug 2023 12:37:32 +0200
Subject: Stop reusing salt for passwords.

---
 mu4web/password.py | 23 +++++++----------------
 1 file changed, 7 insertions(+), 16 deletions(-)

diff --git a/mu4web/password.py b/mu4web/password.py
index 7e6d140..d7ab5ce 100755
--- a/mu4web/password.py
+++ b/mu4web/password.py
@@ -65,22 +65,13 @@ class Passwords:
 
     def add(self, username: str, password: str) -> None:
         """Add (or modify) entry in store."""
-        if cur := self.db.get(username):
-            salt = cur['salt']
-            hashed = hashlib.sha256((salt + password).encode('UTF-8'))
-            self.db[username] = {
-                'hash': hashed.hexdigest(),
-                'salt': salt,
-                'method': 'sha256',
-            }
-        else:
-            salt = gen_salt()
-            hashed = hashlib.sha256((salt + password).encode('UTF-8'))
-            self.db[username] = {
-                'hash': hashed.hexdigest(),
-                'salt': salt,
-                'method': 'sha256'
-            }
+        salt = gen_salt()
+        hashed = hashlib.sha256((salt + password).encode('UTF-8'))
+        self.db[username] = {
+            'hash': hashed.hexdigest(),
+            'salt': salt,
+            'method': 'sha256'
+        }
 
     def validate(self, username: str, password: str) -> bool:
         """Check if user exists, and if it has a correct password."""
-- 
cgit v1.2.3