fix: move argon2 imports to top-level and catch VerifyMismatchError specifically

PasswordHasher and VerifyMismatchError are now imported at module level in router.py and providers/password.py. Wrong-password errors are caught as VerifyMismatchError (401); unexpected errors fall through to a 500 with logging.
2026-04-09 18:42:51 +02:00 · 2026-04-09 18:42:51 +02:00 · 7e0cb80ed2
commit 7e0cb80ed2
parent f6d2d1487f
1 changed files with 6 additions and 3 deletions
--- a/app/auth/providers/password.py
+++ b/app/auth/providers/password.py
@ -6,6 +6,8 @@ import os
 from fastapi import APIRouter, Depends, HTTPException
 from pydantic import BaseModel
 import duckdb
+from argon2 import PasswordHasher
+from argon2.exceptions import VerifyMismatchError

 from app.auth.jwt import create_access_token
 from app.auth.dependencies import _get_db
@ -43,11 +45,13 @@ async def password_login(

    # Verify password
    try:
-        from argon2 import PasswordHasher
        ph = PasswordHasher()
        ph.verify(user["password_hash"], request.password)
-    except Exception:
+    except VerifyMismatchError:
        raise HTTPException(status_code=401, detail="Invalid email or password")
+    except Exception:
+        logger.exception("Unexpected error during password verification")
+        raise HTTPException(status_code=500, detail="Internal server error")

    token = create_access_token(user["id"], user["email"], user["role"])
    return {"access_token": token, "token_type": "bearer", "email": user["email"], "role": user["role"]}
@ -68,7 +72,6 @@ async def password_setup(
        raise HTTPException(status_code=400, detail="Invalid setup token")

    # Hash and save password
-    from argon2 import PasswordHasher
    ph = PasswordHasher()
    hashed = ph.hash(request.password)