fix: replace passlib with bcrypt directly

backend/app/core/security.py

@@ -1,20 +1,18 @@
 from datetime import datetime, timedelta
 from typing import Optional
 
+import bcrypt
 from jose import JWTError, jwt
-from passlib.context import CryptContext
 
 from app.core.config import settings
 
-pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
-
 
 def hash_password(password: str) -> str:
-    return pwd_context.hash(password)
+    return bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt()).decode("utf-8")
 
 
 def verify_password(plain: str, hashed: str) -> bool:
-    return pwd_context.verify(plain, hashed)
+    return bcrypt.checkpw(plain.encode("utf-8"), hashed.encode("utf-8"))
 
 
 def create_access_token(subject: int) -> str:
@@ -40,4 +38,4 @@ def decode_token(token: str) -> Optional[int]:
         payload = jwt.decode(token, settings.SECRET_KEY, algorithms=[settings.ALGORITHM])
         return int(payload["sub"])
     except (JWTError, KeyError, ValueError):
-        return None
+        return None

backend/requirements.txt

@@ -6,7 +6,7 @@ alembic==1.13.1
 pydantic[email]==2.7.1
 pydantic-settings==2.2.1
 python-jose[cryptography]==3.3.0
-passlib[bcrypt]==1.7.4
+bcrypt==4.1.3
 python-multipart==0.0.9
 httpx==0.27.0
 anthropic==0.25.0