问题描述
我想知道是否有人使用这个来简化http-basic-auth。
users = {
john:hello,
susan:bye
}
@ auth.get_password
def get_pw(用户名):
如果用户名为:
返回用户[用户名]
返回无
get_password 装饰器似乎要返回给定用户的清除密码,如果它与用户提供的密码匹配,那么授权将被授予。
但是没有人能够首先获得用户的明确密码。我通常发送清除密码和用户名到后端,散列密码并将其与数据库中现有的散列密码进行比较。
这是如何设想的?
更新:
因为在那里需要第二个装饰器:
@ auth.hash_password
def hash_pw(用户名,密码):
get_salt(username)
返回hash(密码,salt)
字面意思规则是 get_password(username)== hash_password(password)
c $ c> get_password 在数据库中返回用户的哈希密码,这个密码需要和 hash_password 方法中定义的当前哈希密码相同。 / p>
问题是,我正在使用passlib中的 sha256_crypt
$ $ p $ def verify_password(password,hashed_password_in_db,password_hash_version):$ b $如果password_hash_version == 1:
返回sha256_crypt.verify(密码,hashed_password_in_db)
返回False
在这里你不能H扫描给定的密码并将其与存储的散列密码进行比较。我必须使用方法 sha256_crypt.verify(password,hashed_password_in_db),它返回false或true。
有没有办法达到这个要求,还是必须推出我自己的定制解决方案?谢谢
我刚刚意识到这个问题仍然没有答案。
我相信项目 flask-httpauth 对于打算使用md5散列的情况非常有用。 / p>
但是和我一样,如果你使用 sha256_crypt ,你不能使用这个扩展,因为它的工作方式。 (见我更新的问题)
我最终做的是使用 方法 在我的情况下,我已经这样定义它,使它与 I wonder if anyone has used this flask extension to simplify the http-basic-auth. Basically I don't understand this example: The But no one should have access to the clear passwords of the users in first place. I usually send the clear password and username to the backend, hash the password and compare it to the existing hashed password in the database. How has this been envisioned? UPDATE: The link to the docs sheds some more light. since there a second decorator required to achieve this: Literally the rule is The way I understand this to work is The problem is though, I am using sha256_crypt from passlib. In here you can't hash the given password and compare it to the stored hashed password. I have to use the method Is there a way to achieve this or do I have to roll my own custom solution? Thanks I just realized this questions remained unanswered. I am sure the project But as in my case, if you use What I ended up doing is to use this snippet written by the maker of flask. The method In my case I have defined it like this to make it work with 这篇关于flask-httpauth:get_password装饰器是如何为basic-auth工作的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!
check_auth 是正是我所需要的,因为它返回布尔值。
sha256_crypt $ b $ pre $ code def def_auth(email,password)
em_login_provider = ndb.Key('AuthProvider',get_provider_id如果用户和验证密码(密码,user.password_hash,user.password_hash_version)是em_login_provider和em_login_provider.active:
user = em_login_provider.user
, :
return True
return False
users = {
"john": "hello",
"susan": "bye"
}
@auth.get_password
def get_pw(username):
if username in users:
return users[username]
return None
get_password decorator seems like to return the clear password of the given user and if it matches to the one the user has provided, then the authorization will be granted.@auth.hash_password
def hash_pw(username, password):
get_salt(username)
return hash(password, salt)
get_password(username) == hash_password(password)get_password returns the user's hashed password in the database, which needs to be equal to the currently hashed password defined in hash_password method.def verify_password(password, hashed_password_in_db, password_hash_version):
if password_hash_version == 1:
return sha256_crypt.verify(password, hashed_password_in_db)
return False
sha256_crypt.verify(password, hashed_password_in_db), which returns false or true. flask-httpauth is great for cases, where you intend to use md5 hash.sha256_crypt you can't make it work with this extension, due the way it works. (See my updated question)check_auth is exactly what I needed as it returns boolean.sha256_cryptdef check_auth(email, password):
em_login_provider = ndb.Key('AuthProvider', get_provider_id(constants.EMAIL, email)).get()
if em_login_provider and em_login_provider.active:
user = em_login_provider.user
if user and verify_password(password, user.password_hash, user.password_hash_version):
return True
return False