瀏覽代碼

Store hashed password instead of clear-text in database using passlib with argon2

Old password are hashed and updated in database automatically upon login
master
piernov 7 年之前
父節點
當前提交
2db12f2522
共有 3 個文件被更改,包括 13 次插入3 次删除
  1. +7
    -1
      jm2l/models.py
  2. +3
    -1
      jm2l/views.py
  3. +3
    -1
      setup.py

+ 7
- 1
jm2l/models.py 查看文件

@@ -33,6 +33,8 @@ from sqlalchemy.orm import (
from zope.sqlalchemy import ZopeTransactionExtension
from jm2l.const import CurrentYear

from passlib.hash import argon2

DBSession = scoped_session(sessionmaker(extension=ZopeTransactionExtension()))
Base = declarative_base()

@@ -247,7 +249,11 @@ class User(Base):
return MediaPath().get_thumb('users', self.uid)
def verify_password(self, password):
return self.password == password
if not argon2.identify(self.password): # Update existing clear-text password
self.password = argon2.using(rounds=4).hash(self.password)
DBSession.merge(self)

return argon2.verify(password, self.password)

class TiersOpt(Base):
__tablename__ = 'tiers_opt'


+ 3
- 1
jm2l/views.py 查看文件

@@ -33,6 +33,8 @@ import shutil
import glob
from jm2l.const import CurrentYear

from passlib.hash import argon2

## =-=- Here, We keep some usefull function -=-=
def remove_accents(input_str):
""" This function is intended to remove all accent from input unicode string """
@@ -1155,7 +1157,7 @@ def Modal(request):
response = render_to_response('jm2l:templates/modals_js.mako',
{'modtype':modtype},
request=request)
request.user.password = form.password.data
request.user.password = argon2.using(rounds=4).hash(form.password.data)
DBSession.merge(request.user)
response.content_type = 'text/javascript'
return response


+ 3
- 1
setup.py 查看文件

@@ -32,7 +32,9 @@ requires = [
'pyramid_mailer',
'apscheduler',
'qrcode',
'reportlab'
'reportlab',
'passlib',
'argon2_cffi'
]

setup(name='JM2L',


Loading…
取消
儲存