我每次重新加载页面时,flask-security crypto_password('mypassword')都会有所不同 [英] flask-security encrypt_password('mypassword') varies every time when i reload the page
问题描述
我已经配置了SECURITY_PASSWORD_SALT
并使用"bcrypt".但是每次我重新加载页面print encrypt_password('mypassword')
时都会打印不同的值,因此我无法通过verify_password(form.password.data, user.password)
验证用户输入的密码.
I've already configured SECURITY_PASSWORD_SALT
and use "bcrypt". But every time i reload the page print encrypt_password('mypassword')
will print different values, so i can't verify user input password via verify_password(form.password.data, user.password)
.
但是我可以从flask-security内置的登录视图登录
But I can login from flask-security built-in login view
以下代码演示了encrypt_password
的奇怪行为:
Here is code to demonstrate the strange behavior of encrypt_password
:
from flask import Flask, render_template
from flask.ext.sqlalchemy import SQLAlchemy
from flask.ext.security import Security, SQLAlchemyUserDatastore, \
UserMixin, RoleMixin, login_required
from flask.ext.security.utils import encrypt_password, verify_password
# Create app
app = Flask(__name__)
app.config['DEBUG'] = True
app.config['SECRET_KEY'] = 'super-secret'
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite://'
app.config['SECURITY_PASSWORD_HASH'] = 'sha512_crypt'
app.config['SECURITY_PASSWORD_SALT'] = 'fhasdgihwntlgy8f'
# Create database connection object
db = SQLAlchemy(app)
# Define models
roles_users = db.Table('roles_users',
db.Column('user_id', db.Integer(), db.ForeignKey('user.id')),
db.Column('role_id', db.Integer(), db.ForeignKey('role.id')))
class Role(db.Model, RoleMixin):
id = db.Column(db.Integer(), primary_key=True)
name = db.Column(db.String(80), unique=True)
description = db.Column(db.String(255))
class User(db.Model, UserMixin):
id = db.Column(db.Integer, primary_key=True)
email = db.Column(db.String(255), unique=True)
password = db.Column(db.String(255))
active = db.Column(db.Boolean())
confirmed_at = db.Column(db.DateTime())
roles = db.relationship('Role', secondary=roles_users,
backref=db.backref('users', lazy='dynamic'))
# Setup Flask-Security
user_datastore = SQLAlchemyUserDatastore(db, User, Role)
security = Security(app, user_datastore)
# Create a user to test with
@app.before_first_request
def create_user():
db.create_all()
user_datastore.create_user(email='matt@nobien.net', password='password')
db.session.commit()
# Views
@app.route('/')
#@login_required
def home():
password = encrypt_password('mypassword')
print verify_password('mypassword', password)
return password
# return render_template('index.html')
if __name__ == '__main__':
app.run()
推荐答案
encrypt_password()
产生新值的事实是设计使然. verify_password()
失败的事实并非如此.这是已经报告的 Flask-Security中的错误.
The fact that encrypt_password()
generates a new value is by design. The fact that verify_password()
fails is not. It's an already reported bug in Flask-Security.
使用登录视图时,使用另一种方法 verify_and_update_password()
代替使用,它不会遇到相同的问题.
When you use the login view, a different method, verify_and_update_password()
is used instead, which doesn't suffer from the same problem.
此修复程序尚未包含在新版本中.您可以通过应用PR#223上的更改来自己解决此问题;它将flask_security/utils.py
文件中的verify_password()
函数替换为:
The fix is not yet part of a new release. You can fix this issue yourself by applying the change from PR #223; it replaces the verify_password()
function in the flask_security/utils.py
file with:
def verify_password(password, password_hash):
"""Returns ``True`` if the password matches the supplied hash.
:param password: A plaintext password to verify
:param password_hash: The expected hash value of the password (usually form your database)
"""
if _security.password_hash != 'plaintext':
password = get_hmac(password)
return _pwd_context.verify(password, password_hash)
例如像原始的encrypt_password()
一样,先使用HMAC + SHA512对密码进行哈希处理,然后再对哈希进行验证,然后像原始的encrypt_password()
一样对 not 应用encrypt_password()
.
e.g. first hash the password with HMAC+SHA512 before verifying it against the hash, just as the original encrypt_password()
does, and not apply encrypt_password()
as the current released version does.
这篇关于我每次重新加载页面时,flask-security crypto_password('mypassword')都会有所不同的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!