Using custom method to encrypt password in webapp2

81 views
Skip to first unread message

A. Kong

unread,
Jan 4, 2016, 1:12:37 AM1/4/16
to Google App Engine
Hi all,

If I understand it correctly, GAE webapp2 encrypts password using SHA1  (see method create_user as in https://webapp-improved.appspot.com/_modules/webapp2_extras/appengine/auth/models.html)

I want to be able to switch to SHA-256 or other algorithm. Is there any official way to override this?  I found this github repo and its recommendation seems to be rolling your own RequestHandler. Is it a good approach? Is there any other alternative?

There is a related  entry in the archived bug tracker https://code.google.com/p/webapp-improved/issues/detail?id=57  Is the comment there still up to date? 

Cheers

Nick (Cloud Platform Support)

unread,
Jan 4, 2016, 7:46:14 PM1/4/16
to Google App Engine
Could you by any chance provide a link to the github repo whic hsuggests a RequestHandler solution?

As to your second question, you could certainly attempt to view the source code in webapp2 referenced in the linked webapp-improved PIT issue and see if the 2012 comment still holds up to reason.

Richard Cheesmar

unread,
Jan 5, 2016, 10:36:12 AM1/5/16
to Google App Engine
try something like this:


def hashing(plaintext, salt="", sha="512"):
    """ Returns the hashed and encrypted hexdigest of a plaintext and salt"""
    app = webapp2.get_app()

    # Hashing
    if sha == "1":
        phrase = hashlib.sha1()
    elif sha == "256":
        phrase = hashlib.sha256()
    else:
        phrase = hashlib.sha512()
    phrase.update("%s@%s" % (plaintext, salt))
    phrase_digest = phrase.hexdigest()

    # Encryption (PyCrypto)
    # wow... it's so secure :)
    try:
        from Crypto.Cipher import AES

        mode = AES.MODE_CBC

        # We can not generate random initialization vector because is difficult to retrieve them later without knowing
        # a priori the hash to match. We take 16 bytes from the hexdigest to make the vectors different for each hashed
        # plaintext.
        iv = phrase_digest[:16]
        encryptor = AES.new(app.config.get('aes_key'), mode, iv)
        ciphertext = [encryptor.encrypt(chunk) for chunk in chunks(phrase_digest, 16)]
        return ''.join(ciphertext)
    except Exception, e:
        logging.error("CRYPTO is not running: {}".format(e))
        raise
Reply all
Reply to author
Forward
0 new messages