[TurboGears] #2283: In model.auth.User, expose password-hashing mechanism
TurboGears
-------------------------+--------------------------------------------------
Reporter: pitrou | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: 2.0rc1
Component: TurboGears | Version: 2.0b7
Severity: normal | Keywords:
-------------------------+--------------------------------------------------
This is how I've modified the default XXX/model/auth.py in order to expose
password hashing as a classmethod. This is so as to make it easier to
generate hashed passwords from a Python prompt. Then, applications where
the users list is known in advance can hardcode those users in the
deployment scripts without any fear of leaking clear-text passwords :-)
{{{
@classmethod
def hash_password(cls, password):
"""From a clear text password, return a hashed password."""
hashed_password = password
if isinstance(password, unicode):
password_8bit = password.encode('UTF-8')
else:
password_8bit = password
salt = sha1()
salt.update(os.urandom(60))
hash = sha1()
hash.update(password_8bit + salt.hexdigest())
hashed_password = salt.hexdigest() + hash.hexdigest()
# make sure the hased password is an UTF-8 object at the end of
the
# process because SQLAlchemy _wants_ a unicode object for Unicode
columns
if not isinstance(hashed_password, unicode):
hashed_password = hashed_password.decode('UTF-8')
return hashed_password
def _set_password(self, password):
"""Hash password on the fly."""
self._password = self.hash_password(password)
}}}
--
Ticket URL: <http://trac.turbogears.org/ticket/2283>
TurboGears <http://www.turbogears.org/>
TurboGears front-to-back web development
TurboGears
Reporter: pitrou | Owner: Gustavo
Type: enhancement | Status: assigned
Priority: normal | Milestone: 2.1
Component: TurboGears | Version: 2.0b7
Severity: normal | Resolution:
Keywords: authentication, model |
-----------------------------------+----------------------------------------
Changes (by Gustavo):
* keywords: => authentication, model
* owner: => Gustavo
* status: new => assigned
* milestone: 2.0rc1 => 2.1
Comment:
Sounds good.
--
Ticket URL: <http://trac.turbogears.org/ticket/2283#comment:1>
TurboGears
Reporter: pitrou | Owner: Gustavo
Type: enhancement | Status: assigned
Priority: normal | Milestone: 2.1
Keywords: authentication, model |
-----------------------------------+----------------------------------------
Why not go the whole way and make it a static method? Not that it makes
a big difference, but hash_password doesn't need cls or self...
--
Ticket URL: <http://trac.turbogears.org/ticket/2283#comment:2>
TurboGears
Reporter: pitrou | Owner: Gustavo
Type: enhancement | Status: assigned
Priority: normal | Milestone: 2.1
Keywords: authentication, model |
-----------------------------------+----------------------------------------
Well, I can't think of a case where a staticmethod would be more useful
than a classmethod. I find classmethods generally more flexible (but since
the calling convention is the same I agree it doesn't make much of a
difference, it can be changed back later).
--
Ticket URL: <http://trac.turbogears.org/ticket/2283#comment:3>
TurboGears
Reporter: pitrou | Owner: Gustavo
Type: enhancement | Status: assigned
Priority: normal | Milestone: 2.1
Keywords: authentication, model |
-----------------------------------+----------------------------------------
Replying to [comment:2 mramm]:
> Why not go the whole way and make it a static method? Not that it
makes a big difference, but hash_password doesn't need cls or self...
+1
--
Ticket URL: <http://trac.turbogears.org/ticket/2283#comment:4>
TurboGears
Reporter: pitrou | Owner: Gustavo
Type: enhancement | Status: assigned
Component: TurboGears | Version: 2.0b7
Keywords: authentication, model |
-----------------------------------+----------------------------------------
* milestone: 2.1 => 2.2
--
Ticket URL: <http://trac.turbogears.org/ticket/2283#comment:5>