Argon2PasswordHasher.encode() decodes underlying hash as UTF-8 instead of ASCII

[Chris Foresman]

The new Argon2PasswordHasher returns a unicode object in Python 2.7x, though argon2 itself returns only ASCII chars in its hash. Practically speaking this doesn't seem to cause a problem saving this value to a CharField, but for consistency's sake it probably needs updated to decode('ascii') instead of decode('utf-8') as other password hashers do.

Compare:
PBKDF2: ​https://github.com/django/django/blob/1.10/django/contrib/auth/hashers.py#L259
Argon2: ​https://github.com/django/django/blob/1.10/django/contrib/auth/hashers.py#L326

See also argon2-cffi: ​https://github.com/hynek/argon2_cffi/blob/master/src/argon2/_password_hasher.py#L106

[Carl Meyer]

To be clear, .decode('utf-8') and .decode('ascii') both return a unicode object (in Py2, str in Py3). The only difference is in how the bytes are interpreted when decoding. Decoding as UTF-8 expects non-ASCII characters in the bytestring to be encoded as UTF-8, decoding as ASCII will choke on any non-ASCII characters in the bytestring.

Given that the underlying hasher will only generate strings containing ASCII characters anyway, there is zero functional difference here between .decode('utf-8') and .decode('ascii'). It's still probably worth switching to the latter, for better clarity (to avoid people wondering what in the world the Argon2 hasher needs UTF-8 for).

[GitHub <noreply@…>]

In 967aa7f6:

Fixed #27010 -- Made Argon2PasswordHasher decode with ASCII.

The underlying hasher only generates strings containing ASCII
characters so this is merely a cosmetic change.

[Tim Graham <timograham@…>]

In 4a0c9e0:

[1.10.x] Fixed #27010 -- Made Argon2PasswordHasher decode with ASCII.

The underlying hasher only generates strings containing ASCII
characters so this is merely a cosmetic change.
Backport of 967aa7f6cc720b11e38b7e0cbeffc2c95c64fa05 from master