passlib.exc - Exceptions and warnings

This module contains all the custom exceptions & warnings that may be raised by Passlib.

Exceptions

exception passlib.exc.MissingBackendError

Error raised if multi-backend handler has no available backends; or if specifically requested backend is not available.

MissingBackendError derives from RuntimeError, since it usually indicates lack of an external library or OS feature. This is primarily raised by handlers which depend on external libraries (which is currently just bcrypt).

exception passlib.exc.InternalBackendError

Error raised if something unrecoverable goes wrong with backend call; such as if crypt.crypt() returning a malformed hash.

Added in version 1.7.3.

exception passlib.exc.PasswordValueError

Error raised if a password can’t be hashed / verified for various reasons. This exception derives from the builtin ValueError.

May be thrown directly when password violates internal invariants of hasher (e.g. some don’t support NULL characters). Hashers may also throw more specific subclasses, such as PasswordSizeError.

Added in version 1.7.3.

exception passlib.exc.PasswordSizeError(max_size, msg=None)

Error raised if a password exceeds the maximum size allowed by Passlib (by default, 4096 characters); or if password exceeds a hash-specific size limitation.

This exception derives from PasswordValueError (above).

Many password hash algorithms take proportionately larger amounts of time and/or memory depending on the size of the password provided. This could present a potential denial of service (DOS) situation if a maliciously large password is provided to an application. Because of this, Passlib enforces a maximum size limit, but one which should be much larger than any legitimate password. PasswordSizeError derives from ValueError.

Note

Applications wishing to use a different limit should set the PASSLIB_MAX_PASSWORD_SIZE environmental variable before Passlib is loaded. The value can be any large positive integer.

max_size

indicates the maximum allowed size.

Added in version 1.6.

exception passlib.exc.PasswordTruncateError(cls, msg=None)

Error raised if password would be truncated by hash. This derives from PasswordSizeError (above).

Hashers such as bcrypt can be configured to raises this error by setting truncate_error=True.

max_size

indicates the maximum allowed size.

Added in version 1.7.

exception passlib.exc.PasslibSecurityError

Error raised if critical security issue is detected (e.g. an attempt is made to use a vulnerable version of a bcrypt backend).

Added in version 1.6.3.

exception passlib.exc.UnknownHashError(message=None, value=None)

Error raised by lookup_hash if hash name is not recognized. This exception derives from ValueError.

As of version 1.7.3, this may also be raised if hash algorithm is known, but has been disabled due to FIPS mode (message will include phrase “disabled for fips”).

As of version 1.7.4, this may be raised if a CryptContext is unable to identify the algorithm used by a password hash.

Added in version 1.7.

Changed in version 1.7.4: altered call signature.

TOTP Exceptions

exception passlib.exc.TokenError(msg=None, *args, **kwds)

Base error raised by v:mod:passlib.totp when a token can’t be parsed / isn’t valid / etc. Derives from ValueError.

Usually one of the more specific subclasses below will be raised:

Added in version 1.7.

exception passlib.exc.MalformedTokenError(msg=None, *args, **kwds)

Error raised by passlib.totp when a token isn’t formatted correctly (contains invalid characters, wrong number of digits, etc)

exception passlib.exc.InvalidTokenError(msg=None, *args, **kwds)

Error raised by passlib.totp when a token is formatted correctly, but doesn’t match any tokens within valid range.

exception passlib.exc.UsedTokenError(*args, **kwds)

Error raised by passlib.totp if a token is reused. Derives from TokenError.

expire_time = None

optional value indicating when current counter period will end, and a new token can be generated.

Added in version 1.7.

Warnings

exception passlib.exc.PasslibWarning

base class for Passlib’s user warnings, derives from the builtin UserWarning.

Added in version 1.6.

Minor Warnings

exception passlib.exc.PasslibConfigWarning

Warning issued when non-fatal issue is found related to the configuration of a CryptContext instance.

This occurs primarily in one of two cases:

  • The CryptContext contains rounds limits which exceed the hard limits imposed by the underlying algorithm.

  • An explicit rounds value was provided which exceeds the limits imposed by the CryptContext.

In both of these cases, the code will perform correctly & securely; but the warning is issued as a sign the configuration may need updating.

Added in version 1.6.

exception passlib.exc.PasslibHashWarning

Warning issued when non-fatal issue is found with parameters or hash string passed to a passlib hash class.

This occurs primarily in one of two cases:

  • A rounds value or other setting was explicitly provided which exceeded the handler’s limits (and has been clamped by the relaxed flag).

  • A malformed hash string was encountered which (while parsable) should be re-encoded.

Added in version 1.6.

Critical Warnings

exception passlib.exc.PasslibRuntimeWarning

Warning issued when something unexpected happens during runtime.

The fact that it’s a warning instead of an error means Passlib was able to correct for the issue, but that it’s anomalous enough that the developers would love to hear under what conditions it occurred.

Added in version 1.6.

exception passlib.exc.PasslibSecurityWarning

Special warning issued when Passlib encounters something that might affect security.

Added in version 1.6.