use database that build using web2py in another app

29 views
Skip to first unread message

黄祥

unread,
May 18, 2018, 11:34:24 AM5/18/18
to web2py-users
objective:
use database that built using web2py in another app, like php slim framework, express js or restify, since that frameworks didn't need to define the models database.

problem:
don't know how to use the auth_user table for login in another app, because the password field is not clear how to store it in database table

learn from the book:
By default, CRYPT uses 1000 iterations of the pbkdf2 algorithm combined with SHA512 to produce a 20-byte-long hash. 
ref:

question:
what is the crypt module used by web2py to encrypt password field, because the book said 1000 iterations of the pbkdf2 algorithm combined with SHA512 to produce a 20-byte-long hash, not sure i understand the meaning?

thanks and best regards,
stifan

Anthony

unread,
May 18, 2018, 3:05:33 PM5/18/18
to web2py-users
Here is the code the compares a plain text password to the stored hashed password: https://github.com/web2py/web2py/blob/4ed36cfb1fe960d5c818c53562d920d407e991ae/gluon/validators.py#L2919-L2922

The salt and the digest algorithm name and parameters are stored in a string combined with the hash. The above linked code extracts the salt, digest algorithm, and hash stored in the database. It then uses the salt and digest algorithm info to hash the plain text password in order to determine if it is the same as the stored hash.

To hash the password, it calls simple_hash in gluon.utils. You can review that code to figure out how the hashing is done.

As seen here, the default digest algorithm used by CRYPT (and ultimately passed to simple_hash) is pbkdf2(1000,20,sha512), so unless you have changed the default, that is what you should use.

You'll have to figure out how to replicate the hashing process in whatever language you are using, though the algorithms are standard, so hopefully that will be fairly straightforward.

Anthony

Anthony

unread,
May 18, 2018, 4:36:59 PM5/18/18
to web...@googlegroups.com
Note, you might also consider exposing web2py as a CAS provider to your other apps, letting web2py handle all the authentication logic.

黄祥

unread,
May 18, 2018, 6:05:57 PM5/18/18
to web2py-users
thanks anthony, as expected, from web2py, the crypt algorithm is secure (not just simple step to store the sensitive one), i'll try your second advice (using web2py as cas provider) first, because it simple than the first advice.

thanks and best regards,
stifan
Reply all
Reply to author
Forward
0 new messages