如何在django中获取密码?

时间:2022-01-14 07:33:34

I have a python library which I wrote for something else. So I import that to use in Django, problem I am facing is how to get the password.

我有一个python库,我为其他东西写了。所以我导入它用于Django,我面临的问题是如何获取密码。

mycustom_lib_function(username, password)

username I can pass in through request.user

用户名我可以通过request.user传入

But, I am not sure how to get the password. Can someone help me? Thanks.

但是,我不知道如何获取密码。有人能帮我吗?谢谢。

3 个解决方案

#1


3  

Your function mycustom_lib_function should not be using a plaintext password. After a user authenticates with your application, you have a User object (from django.contrib.auth.models) that contains a hashed password:

你的函数mycustom_lib_function不应该使用明文密码。用户使用您的应用程序进行身份验证后,您将拥有一个包含哈希密码的User对象(来自django.contrib.auth.models):

>>> user.username
u'myusername'
>>> user.password
u'sha1$98ffc$b5fd085b8bc1c05fd241dfc97230631926141fe7'

The actual password typed into your form is not stored in plaintext, as standard web security advises you not to store plaintext values of passwords after authentication.
Note that you could check the above hash by performing:

输入表单的实际密码不会以明文形式存储,因为标准Web安全建议您在身份验证后不要存储密码的明文值。请注意,您可以通过执行以下操作检查上述哈希:

>>> from hashlib import sha1
>>> password = 'weak_password'
>>> _, salt, hashpw = user.password.split('$')
>>> sha1(salt+password).hexdigest() == hashpw
True

Now if your application wraps into another application that you do not control that needs a password to do certain actions, you can possibly consider storing their password in plaintext (or slightly better encrypting it), but django.contrib.auth will not do this for you. It would be better if you set up an OAuth type credential system, which does exactly this functionality without necessitating users reveal their password to the intermediate site.

现在,如果您的应用程序包装到您无法控制的另一个需要密码来执行某些操作的应用程序中,您可以考虑将其密码以明文形式存储(或稍微加密一下),但是django.contrib.auth不会这样做您。如果您设置OAuth类型的凭据系统会更好,它可以完全实现此功能,而无需用户向中间站点显示其密码。

If its an application that you do control, I would drop the requirement for password to be passed to it.

如果它是您控制的应用程序,我将删除要传递给它的密码的要求。

#2


10  

The password in User is hashed, and so you cannot get it. Ask the user.

用户中的密码是经过哈希处理的,因此您无法获得该密码。问用户。

#3


1  

You technically can store the password as plain-text but its not right from a security stand poit, see this answer, it is highly not recommended! django.contrib.auth.hashers has some good tools to use for passwords, see the official Django docs.

从技术上讲,您可以将密码存储为纯文本,但不能从安全支架poit中存储,请参阅此答案,强烈建议不要这样做! django.contrib.auth.hashers有一些很好的工具可用于密码,请参阅Django官方文档。

If you have an idea what the plain-text password could be, i.e. I have a globally stored default password in one of my applications that is stored in plain-text, as in the example below. To check if a user has their password set to the default one, you can use the check_password function that will return True if the plain-text matches the encoded password:

如果您知道明文密码可能是什么,即我在我的一个应用程序中有一个全局存储的默认密码,该密码以纯文本形式存储,如下例所示。要检查用户是否将其密码设置为默认密码,您可以使用check_password函数,如果纯文本与编码密码匹配,则返回True:

from django.contrib.auth.hashers import check_password
from django.contrib.auth.models import User
u = User.objects.all().first()
if check_password('the default password', u.password):
    print 'user password matches default password'
else:
    print 'user a set custom password'

Also see is_password_usable, and make_password functions.

另请参阅is_password_usable和make_password函数。

#1


3  

Your function mycustom_lib_function should not be using a plaintext password. After a user authenticates with your application, you have a User object (from django.contrib.auth.models) that contains a hashed password:

你的函数mycustom_lib_function不应该使用明文密码。用户使用您的应用程序进行身份验证后,您将拥有一个包含哈希密码的User对象(来自django.contrib.auth.models):

>>> user.username
u'myusername'
>>> user.password
u'sha1$98ffc$b5fd085b8bc1c05fd241dfc97230631926141fe7'

The actual password typed into your form is not stored in plaintext, as standard web security advises you not to store plaintext values of passwords after authentication.
Note that you could check the above hash by performing:

输入表单的实际密码不会以明文形式存储,因为标准Web安全建议您在身份验证后不要存储密码的明文值。请注意,您可以通过执行以下操作检查上述哈希:

>>> from hashlib import sha1
>>> password = 'weak_password'
>>> _, salt, hashpw = user.password.split('$')
>>> sha1(salt+password).hexdigest() == hashpw
True

Now if your application wraps into another application that you do not control that needs a password to do certain actions, you can possibly consider storing their password in plaintext (or slightly better encrypting it), but django.contrib.auth will not do this for you. It would be better if you set up an OAuth type credential system, which does exactly this functionality without necessitating users reveal their password to the intermediate site.

现在,如果您的应用程序包装到您无法控制的另一个需要密码来执行某些操作的应用程序中,您可以考虑将其密码以明文形式存储(或稍微加密一下),但是django.contrib.auth不会这样做您。如果您设置OAuth类型的凭据系统会更好,它可以完全实现此功能,而无需用户向中间站点显示其密码。

If its an application that you do control, I would drop the requirement for password to be passed to it.

如果它是您控制的应用程序,我将删除要传递给它的密码的要求。

#2


10  

The password in User is hashed, and so you cannot get it. Ask the user.

用户中的密码是经过哈希处理的,因此您无法获得该密码。问用户。

#3


1  

You technically can store the password as plain-text but its not right from a security stand poit, see this answer, it is highly not recommended! django.contrib.auth.hashers has some good tools to use for passwords, see the official Django docs.

从技术上讲,您可以将密码存储为纯文本,但不能从安全支架poit中存储,请参阅此答案,强烈建议不要这样做! django.contrib.auth.hashers有一些很好的工具可用于密码,请参阅Django官方文档。

If you have an idea what the plain-text password could be, i.e. I have a globally stored default password in one of my applications that is stored in plain-text, as in the example below. To check if a user has their password set to the default one, you can use the check_password function that will return True if the plain-text matches the encoded password:

如果您知道明文密码可能是什么,即我在我的一个应用程序中有一个全局存储的默认密码,该密码以纯文本形式存储,如下例所示。要检查用户是否将其密码设置为默认密码,您可以使用check_password函数,如果纯文本与编码密码匹配,则返回True:

from django.contrib.auth.hashers import check_password
from django.contrib.auth.models import User
u = User.objects.all().first()
if check_password('the default password', u.password):
    print 'user password matches default password'
else:
    print 'user a set custom password'

Also see is_password_usable, and make_password functions.

另请参阅is_password_usable和make_password函数。