flask-httpauth:get_password装饰器是如何为basic-auth工作的? [英] flask-httpauth: How is get_password decorator meant to work for basic-auth?
问题描述
我想知道是否有人使用这个烧瓶扩展来简化http-basic-auth。
users = {
john:hello,
susan:bye
}
@ auth.get_password
def get_pw(用户名):
如果用户名为:
返回用户[用户名]
返回无
get_password 装饰器似乎要返回给定用户的清除密码,如果它与用户提供的密码匹配,那么授权将被授予。
但是没有人能够首先获得用户的明确密码。我通常发送清除密码和用户名到后端,散列密码并将其与数据库中现有的散列密码进行比较。
这是如何设想的?
更新:
因为在那里需要第二个装饰器:
@ auth.hash_password
def hash_pw(用户名,密码):
get_salt(username)
返回hash(密码,salt)
字面意思规则是 get_password(username)== hash_password(password)
c $ c> get_password 在数据库中返回用户的哈希密码,这个密码需要和 hash_password 方法中定义的当前哈希密码相同。 / p>
问题是,我正在使用passlib中的 sha256_crypt
$ $ p $ def verify_password(password,hashed_password_in_db,password_hash_version):$ b $如果password_hash_version == 1:
返回sha256_crypt.verify(密码,hashed_password_in_db)
返回False
在这里你不能H扫描给定的密码并将其与存储的散列密码进行比较。我必须使用方法 sha256_crypt.verify(password,hashed_password_in_db),它返回false或true。
有没有办法达到这个要求,还是必须推出我自己的定制解决方案?谢谢
我刚刚意识到这个问题仍然没有答案。
我相信项目 flask-httpauth 对于打算使用md5散列的情况非常有用。 / p>
但是和我一样,如果你使用 sha256_crypt ,你不能使用这个扩展,因为它的工作方式。 (见我更新的问题)
方法 check_auth 是正是我所需要的,因为它返回布尔值。
在我的情况下,我已经这样定义它,使它与 sha256_crypt $ b $ pre $ code def def_auth(email,password)
em_login_provider = ndb.Key('AuthProvider',get_provider_id如果用户和验证密码(密码,user.password_hash,user.password_hash_version)是em_login_provider和em_login_provider.active:
user = em_login_provider.user
, :
return True
return False
I wonder if anyone has used this flask extension to simplify the http-basic-auth.
Basically I don't understand this example:
users = {
"john": "hello",
"susan": "bye"
}
@auth.get_password
def get_pw(username):
if username in users:
return users[username]
return None
The get_password decorator seems like to return the clear password of the given user and if it matches to the one the user has provided, then the authorization will be granted.
But no one should have access to the clear passwords of the users in first place. I usually send the clear password and username to the backend, hash the password and compare it to the existing hashed password in the database.
How has this been envisioned?
UPDATE:
The link to the docs sheds some more light. since there a second decorator required to achieve this:
@auth.hash_password
def hash_pw(username, password):
get_salt(username)
return hash(password, salt)
Literally the rule is get_password(username) == hash_password(password)
The way I understand this to work is get_password returns the user's hashed password in the database, which needs to be equal to the currently hashed password defined in hash_password method.
The problem is though, I am using sha256_crypt from passlib.
def verify_password(password, hashed_password_in_db, password_hash_version):
if password_hash_version == 1:
return sha256_crypt.verify(password, hashed_password_in_db)
return False
In here you can't hash the given password and compare it to the stored hashed password. I have to use the method sha256_crypt.verify(password, hashed_password_in_db), which returns false or true.
Is there a way to achieve this or do I have to roll my own custom solution? Thanks
I just realized this questions remained unanswered.
I am sure the project flask-httpauth is great for cases, where you intend to use md5 hash.
But as in my case, if you use sha256_crypt you can't make it work with this extension, due the way it works. (See my updated question)
What I ended up doing is to use this snippet written by the maker of flask.
The method check_auth is exactly what I needed as it returns boolean.
In my case I have defined it like this to make it work with sha256_crypt
def check_auth(email, password):
em_login_provider = ndb.Key('AuthProvider', get_provider_id(constants.EMAIL, email)).get()
if em_login_provider and em_login_provider.active:
user = em_login_provider.user
if user and verify_password(password, user.password_hash, user.password_hash_version):
return True
return False
这篇关于flask-httpauth:get_password装饰器是如何为basic-auth工作的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
