From 418ab8a93907669be4ccbb99d7aefa5283f3e013 Mon Sep 17 00:00:00 2001
From: Daniel Vaz Gaspar <danielvazgaspar@gmail.com>
Date: Tue, 17 Dec 2024 16:33:17 +0000
Subject: [PATCH 1/2] chore: improve security models performance (#2293)

---
 flask_appbuilder/security/sqla/models.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/flask_appbuilder/security/sqla/models.py b/flask_appbuilder/security/sqla/models.py
index 680aff6a5f..74ca579bd1 100755
--- a/flask_appbuilder/security/sqla/models.py
+++ b/flask_appbuilder/security/sqla/models.py
@@ -6,6 +6,7 @@
     Column,
     DateTime,
     ForeignKey,
+    Index,
     Integer,
     Sequence,
     String,
@@ -52,6 +53,8 @@ def __repr__(self):
     Column("permission_view_id", Integer, ForeignKey("ab_permission_view.id")),
     Column("role_id", Integer, ForeignKey("ab_role.id")),
     UniqueConstraint("permission_view_id", "role_id"),
+    Index("idx_permission_view_id", "permission_view_id"),
+    Index("idx_role_id", "role_id"),
 )
 
 
@@ -72,7 +75,11 @@ def __repr__(self):
 
 class PermissionView(Model):
     __tablename__ = "ab_permission_view"
-    __table_args__ = (UniqueConstraint("permission_id", "view_menu_id"),)
+    __table_args__ = (
+        UniqueConstraint("permission_id", "view_menu_id"),
+        Index("idx_permission_id", "permission_id"),
+        Index("idx_view_menu_id", "view_menu_id"),
+    )
     id = Column(Integer, Sequence("ab_permission_view_id_seq"), primary_key=True)
     permission_id = Column(Integer, ForeignKey("ab_permission.id"))
     permission = relationship("Permission", lazy="joined")

From 7e96e345a2a6aa520c70a5e17ee24a30452e8e52 Mon Sep 17 00:00:00 2001
From: Daniel Vaz Gaspar <danielvazgaspar@gmail.com>
Date: Mon, 20 Jan 2025 13:15:57 +0000
Subject: [PATCH 2/2] feat: make fake password hash check configurable (#2301)

---
 flask_appbuilder/security/manager.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/flask_appbuilder/security/manager.py b/flask_appbuilder/security/manager.py
index d046eec9f0..4ba4afada0 100644
--- a/flask_appbuilder/security/manager.py
+++ b/flask_appbuilder/security/manager.py
@@ -229,6 +229,12 @@ def __init__(self, appbuilder):
         app.config.setdefault("AUTH_ROLES_MAPPING", {})
         app.config.setdefault("AUTH_ROLES_SYNC_AT_LOGIN", False)
         app.config.setdefault("AUTH_API_LOGIN_ALLOW_MULTIPLE_PROVIDERS", False)
+        app.config.setdefault(
+            "AUTH_DB_FAKE_PASSWORD_HASH_CHECK",
+            "scrypt:32768:8:1$wiDa0ruWlIPhp9LM$6e409d093e62ad54df2af895d0e125b05ff6cf6414"
+            "8350189ffc4bcc71286edf1b8ad94a442c00f890224bf2b32153d0750c89ee9"
+            "401e62f9dcee5399065e4e5",
+        )
 
         # LDAP Config
         if self.auth_type == AUTH_LDAP:
@@ -968,8 +974,7 @@ def auth_user_db(self, username, password):
         if user is None or (not user.is_active):
             # Balance failure and success
             check_password_hash(
-                "pbkdf2:sha256:150000$Z3t6fmj2$22da622d94a1f8118"
-                "c0976a03d2f18f680bfff877c9a965db9eedc51bc0be87c",
+                self.appbuilder.get_app.config["AUTH_DB_FAKE_PASSWORD_HASH_CHECK"],
                 "password",
             )
             log.info(LOGMSG_WAR_SEC_LOGIN_FAILED, username)