request.vars.get(passfield, '') contains the un-hashed value pre-validation
form.vars.get(passfield, '') contains the hashed value post validation Massimo On Sep 20, 2:42 pm, Jonathan Lundell <[email protected]> wrote: > On Sep 20, 2009, at 12:34 PM, waTR wrote: > > > > > @Jonathan: > > I looked at that code a lot yesterday, before I posted. The thing is, > > that code doesn't really show how it compares the values. > > > The if temp_user[passfield] == form.vars.get(passfield, '') doesn't > > make sense to me. temp_user[passfield] should return the hash held in > > the db password field. The form.vars.get(passfield, '') should return > > the non-hash password entered into the form. Where does the > > translation occure from the Form to the hash stored in the db? > > It happens in the IS_CRYPT() validation, which returns the hashed > value of the field. > > > > > The above code doesn't show that translation... > > > On Sep 18, 5:08 pm, Jonathan Lundell <[email protected]> wrote: > >> On Sep 18, 2009, at 4:44 PM, waTR wrote: > > >>> I need to be able to compare another password submitted against the > >>> one in that field. How would I go about doing that? What functions > >>> are > >>> available in web2py for this. > > >>> db.define_table('pass', > >>> SQLField("password", 'password', readable=False, label='Password', > >>> requires=CRYPT())) > > >>> I.e. I have just submitted a form that contains a > >>> request.get_vars.password > >>> how do I compare that password against the one in db. > > >> Here's the central code in Auth.login: > > >> users = self.db(table_user[username] == form.vars > >> [username]).select() > >> if users: > >> # user in db, check if registration pending or > >> disabled > >> temp_user = users[0] > > >> ... > > >> if not user: > >> # alternates have failed, maybe because > >> service inaccessible > >> if self.settings.login_methods[0] == self: > >> # try logging in locally using cached > >> credentials > >> if temp_user[passfield] == form.vars.get > >> (passfield, ''): > >> # success > >> user = temp_user > > >> The values being compared are hashes, because the field in question > >> requires IS_CRYPT(), which really doesn't do anything but hash the > >> value. > > >>> On Sep 18, 1:34 pm, Jonathan Lundell <[email protected]> wrote: > >>>> On Sep 18, 2009, at 1:06 PM, waTR wrote: > > >>>>> Related question though... how can one check if password entered > >>>>> matches password stored in DB for that user? When I retrieve the > >>>>> stored password via select(), it is encrypted. How does Auth > >>>>> decrypt? > >>>>> Where can I find that code (what file)? > > >>>> Briefly, you don't decrypt the stored password. Actually, you > >>>> can't, > >>>> because it's not encrypted; it's hashed. > > >>>> You check it by hashing the login password and comparing the > >>>> hashes. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
