Slowness

[BillSchumacher]

All Flask-Security related functions take ~20-30 seconds to complete. It did not use to be so slow. I thought maybe it was the emails but I moved those to a celery task, the slowness persists. I implemented other logic that uses email and it is instant.

Not sure why but this library has a huge delay for some reason.

[BillSchumacher]

I decided to implement the logic for user login using the same forms, db lookup and password verification.

Surprisingly the form validation and password hashing both take ~10 seconds.

('before validation', '2017-12-31 23:52:13.046964')
('after validation', '2017-12-31 23:52:22.855227')
('user lookup', '2017-12-31 23:52:22.855389')
('after user lookup', '2017-12-31 23:52:22.870330')
('password hash', '2017-12-31 23:52:22.870482')
('after password hash', '2017-12-31 23:52:31.045613')
('after auth', '2017-12-31 23:52:31.045836')
('after login', '2017-12-31 23:52:31.059585')

[mafrosis]

#731 ?

[BillSchumacher]

I see that the hashing is done in the form validation, I'll have to take a look to see what else is happening to add ~20 seconds to the standard Flask-Security login. Even 9 seconds is too slow.

('before validation', '2018-01-01 00:07:56.931346')
('after validation', '2018-01-01 00:08:03.957584')
('after login', '2018-01-01 00:08:03.971493')

[BillSchumacher]

So this is interesting, if I don't use the Flask-Security LoginForm and call verify_password like I was previously the issue is resolved? The same function call took 10 seconds previously.

('before validation', '2018-01-01 00:51:16.683555')
('after validation', '2018-01-01 00:51:16.684854')
('user lookup', '2018-01-01 00:51:16.684928')
('after user lookup', '2018-01-01 00:51:16.689784')
('password hash', '2018-01-01 00:51:16.689911')
('after password hash', '2018-01-01 00:51:16.691094')
('after login', '2018-01-01 00:51:16.702708')

[BillSchumacher]

Not sure why but verify_password is slowed down significantly by running the forms verify_and_update_password prior to calling verify_password, verify_update_and_password is still ~10 seconds with the custom form.

[BillSchumacher]

verify_and_update timings:

('verify_and_update initial', '2018-01-01 01:04:22.480948')
('verify_and_update after verify', '2018-01-01 01:04:22.481539')
('verify_and_update after needs_update', '2018-01-01 01:04:22.481660')
('verify_and_update after hash', '2018-01-01 01:04:31.147555')
('verify_and_update after put', '2018-01-01 01:04:31.149381')

[BillSchumacher]

This chunk of code in hash_password is the culprit:

return _pwd_context.hash(
    password,
    **config_value('PASSWORD_HASH_OPTIONS', default={}).get(
        _security.password_hash, {})
)

I'm not sure what is even happening at this point, are we not hashing the current password during verification? What's the point of this? Why not just use the get_hmac and be done?

[BillSchumacher]

After modifying my code to use entirely custom functions and Argon2, I had an idea. Why not offload token generation and update hashing to celery tasks as well?

[BillSchumacher]

The verify function without update is very fast, it's the updates that take forever and for registration the confirmation token hashing makes the request take a very long time when we could just be generating that in the background.

[jirikuncar]

Please follow #731