Credential (email) encryption

71 views
Skip to first unread message

Michele Serra

unread,
Apr 10, 2020, 6:38:02 AM4/10/20
to web2py-users
Hi, 
I use the email as the login credential, I tried to encrypt the email with

db.auth_user.email.filter_in = lambda value : secure_dumps(value, enc_key)
db.auth_user.email.filter_out = lambda value : secure_loads(value, enc_key)

and it works well, in the database I see the encrypted data while from the appadmin I see the decrypted data.

But when I try to login it fails, with an "INVALID LOGIN"
Have you ever tried?
What am I doing wrong?

Michele Serra

unread,
Apr 21, 2020, 9:16:38 AM4/21/20
to web...@googlegroups.com
Anyone? please

Michele Serra

unread,
May 22, 2020, 6:15:41 AM5/22/20
to web2py-users
Please answer!

Kevin Keller

unread,
May 22, 2020, 6:58:25 AM5/22/20
to web2py-users
Without having checked the code, i am pretty sure that the builtin Auth Modul of Web2py expects a plaintext email in the username field when checking the credentials. 

I suppose now it fails as the encrypted email value does simply not match the plaintext one. 

You would need to modify the Auth module to encrypt the plain text email after submitting and then also checking against an encrypted value. During user registration you would also need to insure user name encryption. 

This is in fact pretty much how passwords are stored, with a hash, so inr way encryption and only the hashes are compared. 



--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/1f196a71-6224-4ee3-988b-d130bd19c53a%40googlegroups.com.

Kevin Keller

unread,
May 22, 2020, 7:02:27 AM5/22/20
to web2py-users
It shouldn't be hard to use hashes for usernames too, but there may be complications later when it comes to storing user sessions and needing user information in your session etc.

I think iy would br easier if you just encrypt the whole database and make web2py read the encrypted data transparently.

You would need to check your database features and configuration for that and also configure web2py to use the database key when connecting etc.


Val K

unread,
May 22, 2020, 1:20:35 PM5/22/20
to web2py-users
Try to use SQLCustomType instead of filter_in/out
Reply all
Reply to author
Forward
0 new messages