All geek questions in one place

Storage and verification of encrypted password to log in to Pyramid

I am trying to verify the encrypted password for goals loginin Pyramid. Thus, if the user and password match, the system will authorize the user. At the moment, it’s hard for me to write a password comparison function when they are encrypted in the database, and the password entered in the Pyramid form loginis unencrypted. Right now I have no verification in the form of login.

I am new to this security / code process and want to do it right. I looked at this Auth tutorial , however the encryption in the class is Userslightly different and I am using the Pyramid Auth kit. Any advice on how to do this successfully and reasonably would be greatly appreciated.

Software: Python 2.7.9, Pyramid 1.5.7, SQLAlchemy 1.0.9

database class:

class User(Base):
    __tablename__ = 'users'

    id = Column(Integer, primary_key=True)
    username = Column(String(15), nullable=False, unique=True)
    email = Column(String(300))
    password = Column(String(300), nullable=False)

    def __init__(self, username, password, email):
        self.username = username
        self.password = hashlib.sha224(password).hexdigest()
        self.email = email

    def __repr__(self):
        return "<User(username ='%s', password='%s', email='%s')>" % (self.username, self.password, self.email)

view

@view_config(route_name='login', renderer='templates/login.jinja2')
@forbidden_view_config(renderer='templates/login.jinja2')
def login(request):
    login_url = request.route_url('login')
    referrer = request.url
    if referrer == login_url:
        referrer = '/' # never use the login form itself as came_from
    came_from = request.params.get('came_from', referrer)
    message = ''
    login = ''
    password = ''
    if 'form.submitted' in request.params:
        login = request.params['login']
        password = request.params['password']

        user = api.retrieve_user(login) # need some way to validate password
        if user is not None: # need to check user/password here, redirect if wrong
            headers = remember(request, login)
            return HTTPFound(location = came_from,
                             headers = headers)
            message = 'Failed login'

    return dict(
        message = message,
        url = request.application_url + '/login',
        came_from = came_from,
        login = login,
        password = password,
        )
+4
source share
2 answers

Change your code, add the excellent passlib library and use secure password storage using bcrypt as a hash algorithm.

In your setup.py projects, add the following requirements:

  • Bcrypt
  • passlib

And then use the following code snippet for your model:

from passlib.hash import bcrypt

class User(Base):
    __tablename__ = 'users'

    id = Column(Integer, primary_key=True)
    username = Column(String(15), nullable=False, unique=True)
    email = Column(String(300))
    password = Column(String(300), nullable=False)

    def __init__(self, username, password, email):
        self.username = username
        self.password = bcrypt.encrypt(password)
        self.email = email

    def validate_password(self, password):
        return bcrypt.verify(password, self.password)

    def __repr__(self):
        return "<User(username ='%s', password='%s', email='%s')>" % (self.username, self.password, self.email)
+5
source

WARNING MORTALITY CODE

/ . , , , passlib, .

User.__init__ self.password = hashlib.sha224(password).hexdigest(). :

class User(Base):
    # Your existing code unchanged

    def validate_password(self, password):
        return self.password == hashlib.sha224(password).hexdigest()

:

user = api.retrieve_user(login)
if user is not None and user.validate_password(password):
    # You logic on success
+1

Source: https://habr.com/ru/post/1615834/

More articles:


All Articles