在 Pyramid 中存储和验证用于登录的加密密码 [英] Storing and validating encrypted password for login in Pyramid

问题描述

我正在尝试验证 Pyramid 中用于 login 目的的加密密码.这样，如果用户和密码匹配，则系统将授权用户.目前我发现很难编写一个函数来比较密码在数据库中加密并且输入到 Pyramid 的 login 表单中的密码未加密.现在，我没有在登录视图中进行验证.

I am trying to validate an encrypted password for login purposes in Pyramid. So that if the user and password match then the system will authorize the user. At the moment I am finding it difficult to write a function to compare passwords when one is encrypted in the database and the the password being entered into Pyramid's login form is unencrypted. Right now, I have no verification occurring in the login view.

我对使用安全措施/代码的整个过程不熟悉，并希望正确地做到这一点.我在看这个 Auth 教程，但是 User 类中的加密略有不同，我正在使用 Pyramid 的 Auth 套件.任何关于如何成功和巧妙地做到这一点的指导都将受到高度赞赏.

I am new to this entire process of working with security measures/code and want to do this right. I was looking at this Auth tutorial, however the encryption in the User class is slightly different and I am using Pyramid's Auth kit. Any guidance on how to do this successfully and smartly would be highly appreciated.

软件:Python 2.7.9、Pyramid 1.5.7、SQLAlchemy 1.0.9

数据库类:

class User(Base):
    __tablename__ = 'users'

    id = Column(Integer, primary_key=True)
    username = Column(String(15), nullable=False, unique=True)
    email = Column(String(300))
    password = Column(String(300), nullable=False)

    def __init__(self, username, password, email):
        self.username = username
        self.password = hashlib.sha224(password).hexdigest()
        self.email = email

    def __repr__(self):
        return "<User(username ='%s', password='%s', email='%s')>" % (self.username, self.password, self.email)

观看次数

@view_config(route_name='login', renderer='templates/login.jinja2')
@forbidden_view_config(renderer='templates/login.jinja2')
def login(request):
    login_url = request.route_url('login')
    referrer = request.url
    if referrer == login_url:
        referrer = '/' # never use the login form itself as came_from
    came_from = request.params.get('came_from', referrer)
    message = ''
    login = ''
    password = ''
    if 'form.submitted' in request.params:
        login = request.params['login']
        password = request.params['password']

        user = api.retrieve_user(login) # need some way to validate password
        if user is not None: # need to check user/password here, redirect if wrong
            headers = remember(request, login)
            return HTTPFound(location = came_from,
                             headers = headers)
            message = 'Failed login'

    return dict(
        message = message,
        url = request.application_url + '/login',
        came_from = came_from,
        login = login,
        password = password,
        )

推荐答案

请修改您的代码，添加优秀的 passlib 库，并使用 bcrypt 作为哈希算法的安全密码存储.

Please modify your code, add the excellent passlib library, and use secure password storage using bcrypt as the hashing algorithm.

在您的项目 setup.py 中添加以下作为要求:

In your projects setup.py add the following as requirements:

• bcrypt
• 密码库

然后为您的模型使用以下代码片段:

And then use the following code snippet for your model:

from passlib.hash import bcrypt

class User(Base):
    __tablename__ = 'users'

    id = Column(Integer, primary_key=True)
    username = Column(String(15), nullable=False, unique=True)
    email = Column(String(300))
    password = Column(String(300), nullable=False)

    def __init__(self, username, password, email):
        self.username = username
        self.password = bcrypt.encrypt(password)
        self.email = email

    def validate_password(self, password):
        return bcrypt.verify(password, self.password)

    def __repr__(self):
        return "<User(username ='%s', password='%s', email='%s')>" % (self.username, self.password, self.email)

这篇关于在 Pyramid 中存储和验证用于登录的加密密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！