Python Flask用户使用加密登录

I am trying to create a "Create User" route, followed by a "Log In" route, on a website I am creating.

我正在尝试创建一个“创建用户”路线,然后在我正在创建的网站上“登录”路线。

I need the passwords from the Create User to be encrypted (the route is a POST method, with variable names of "username", "password" ,etc...

我需要加密创建用户的密码(路由是一个POST方法,变量名称为“用户名”,“密码”等...

I need the encrypted password, the username, and the rest of the variables to be inserted into a database on the server I am running

我需要将加密的密码,用户名和其他变量插入我正在运行的服务器上的数据库中

I need the login route to confirm the correct credentials. I know how to check the username, but I can't seem to figure out how to verify the encrypted password that is stored in the database

我需要登录路由来确认正确的凭据。我知道如何检查用户名,但我似乎无法弄清楚如何验证存储在数据库中的加密密码

I have tried a couple examples online, but most of them are just of creating static users, and I can't seem to replicate it for my database. Any help would be appreciated.

我在线尝试了几个例子,但大多数只是创建静态用户,我似乎无法为我的数据库复制它。任何帮助,将不胜感激。

2 个解决方案

#1

Although

Any help would be appreciated.

任何帮助,将不胜感激。

is not really a question i assume you want to know how to store passwords securely and check against those stored passwords.

这不是一个真正的问题,我想你想知道如何安全地存储密码并检查那些存储的密码。

As you are already using flask you can use one of its dependencies werkzeug which makes this task very easy.

由于你已经在使用flask,你可以使用它的一个依赖werkzeug,这使得这个任务非常容易。

For more details look here

有关详细信息,请查看此处

from werkzeug.security import generate_password_hash, check_password_hash

# when creating a user whose password is 'password'
password = the_password_the_user_specified()
hashed = generate_password_hash(password)
# take a look at the result: it's a salted and hashed password
# now save the user with the hashed password in your database

# when a user wants to log in
# select the password hash for the username the user entered in your form
password = the_password_the_user_entered()
hashed = database_get_password_for_user()
# now compare the passwords
matches = check_password_hash(hashed, password)
if matches:
    # login
else:
    # wrong password

So for "encryption" use generate_password_hash(entered) and save this instead of the plain text password and for decryption user check_password_hash(hashed, entered). Don't make the mistake and use generate_password_hash when the user wants to log in and compare both hashes. That does not work because the salts differ.

因此,对于“加密”,使用generate_password_hash(输入)并保存此而不是明文密码,对于解密用户check_password_hash(哈希,输入)。当用户想要登录并比较两个哈希时,不要犯错并使用generate_password_hash。这不起作用,因为盐不同。

#2

I am using bcrypt for this https://pypi.python.org/pypi/bcrypt/2.0.0. This is another option for creating hashes.

我正在使用bcrypt这个https://pypi.python.org/pypi/bcrypt/2.0.0。这是创建哈希的另一种选择。

Where I have two methods in my User class:

我的User类中有两个方法:

import requests, bcrypt, pymongo
....

class User:
    def __init__(self, db, config):
        self.users = db['users']
        self.config = config


def pwd_set(self, id, pwd):
    h = bcrypt.hashpw(pwd.encode('utf-8'), self.config['SALT'])
    self.users.update_one({'_id': id},{"$set":{"password":h, "modified":datetime.utcnow()}})

def pwd_match(self, client_pwd, server_pwd):
    h = bcrypt.hashpw(client_pwd.encode('utf-8'), self.config['SALT'])
    return h == server_pwd

You need to have salt pre-defined in such cases to use it upon hashing which may not be the best option. Whenever I have to turn plain text in to hash I use pwd_set and whenever I have to check if the password match I use the pwd_match method to verify that the text is same as the encrypted in the db password hash.

在这种情况下,您需要预先定义盐,以便在散列时使用它,这可能不是最佳选择。每当我必须将纯文本转换为哈希时,我使用pwd_set,每当我必须检查密码是否匹配时,我使用pwd_match方法验证文本是否与db密码哈希中的加密文本相同。

You can also take a look at https://flask-bcrypt.readthedocs.org/en/latest/

您还可以查看https://flask-bcrypt.readthedocs.org/en/latest/

#1