Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Ticket #2283 (closed enhancement: migrated)

Opened 10 years ago

Last modified 8 years ago

In model.auth.User, expose password-hashing mechanism

Reported by: pitrou Owned by: Gustavo
Priority: normal Milestone: 2.2
Component: TurboGears Version: 2.0b7
Severity: normal Keywords: authentication, model
Cc:

Description

This is how I've modified the default XXX/model/auth.py in order to expose password hashing as a classmethod. This is so as to make it easier to generate hashed passwords from a Python prompt. Then, applications where the users list is known in advance can hardcode those users in the deployment scripts without any fear of leaking clear-text passwords :-)

    @classmethod
    def hash_password(cls, password):
        """From a clear text password, return a hashed password."""
        hashed_password = password

        if isinstance(password, unicode):
            password_8bit = password.encode('UTF-8')
        else:
            password_8bit = password
        
        salt = sha1()
        salt.update(os.urandom(60))
        hash = sha1()
        hash.update(password_8bit + salt.hexdigest())
        hashed_password = salt.hexdigest() + hash.hexdigest()

        # make sure the hased password is an UTF-8 object at the end of the
        # process because SQLAlchemy _wants_ a unicode object for Unicode columns
        if not isinstance(hashed_password, unicode):
            hashed_password = hashed_password.decode('UTF-8')
        return hashed_password

    def _set_password(self, password):
        """Hash password on the fly."""
        self._password = self.hash_password(password)

Change History

comment:1 Changed 10 years ago by Gustavo

  • Owner set to Gustavo
  • Keywords authentication, model added
  • Status changed from new to assigned
  • Milestone changed from 2.0rc1 to 2.1

Sounds good.

comment:2 follow-up: ↓ 4 Changed 10 years ago by mramm

Why not go the whole way and make it a static method? Not that it makes a big difference, but hash_password doesn't need cls or self...

comment:3 Changed 10 years ago by pitrou

Well, I can't think of a case where a staticmethod would be more useful than a classmethod. I find classmethods generally more flexible (but since the calling convention is the same I agree it doesn't make much of a difference, it can be changed back later).

comment:4 in reply to: ↑ 2 Changed 10 years ago by Gustavo

Replying to mramm:

Why not go the whole way and make it a static method? Not that it makes a big difference, but hash_password doesn't need cls or self...

+1

comment:5 Changed 9 years ago by mramm

  • Milestone changed from 2.1 to 2.2

comment:6 Changed 8 years ago by pedersen

  • Status changed from assigned to closed
  • Resolution set to migrated
Note: See TracTickets for help on using tickets.