[web2py:31291] Re: Auth customization

Fri, 18 Sep 2009 17:09:08 -0700 

On Sep 18, 2009, at 4:44 PM, waTR wrote:

>
> I need to be able to compare another password submitted against the
> one in that field. How would I go about doing that? What functions are
> available in web2py for this.
>
> db.define_table('pass',
> SQLField("password", 'password', readable=False, label='Password',
> requires=CRYPT()))
>
> I.e. I have just submitted a form that contains a
> request.get_vars.password
> how do I compare that password against the one in db.

Here's the central code in Auth.login:


                 users = self.db(table_user[username] == form.vars 
[username]).select()
                 if users:
                     # user in db, check if registration pending or  
disabled
                     temp_user = users[0]

                     ...

                     if not user:
                         # alternates have failed, maybe because  
service inaccessible
                         if self.settings.login_methods[0] == self:
                             # try logging in locally using cached  
credentials
                             if temp_user[passfield] == form.vars.get 
(passfield, ''):
                                 # success
                                 user = temp_user


The values being compared are hashes, because the field in question  
requires IS_CRYPT(), which really doesn't do anything but hash the  
value.

>
>
>
>
>
>
> On Sep 18, 1:34 pm, Jonathan Lundell <jlund...@pobox.com> wrote:
>> On Sep 18, 2009, at 1:06 PM, waTR wrote:
>>
>>> Related question though... how can one check if password entered
>>> matches password stored in DB for that user? When I retrieve the
>>> stored password via select(), it is encrypted. How does Auth  
>>> decrypt?
>>> Where can I find that code (what file)?
>>
>> Briefly, you don't decrypt the stored password. Actually, you can't,
>> because it's not encrypted; it's hashed.
>>
>> You check it by hashing the login password and comparing the hashes.



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To post to this group, send email to web2py@googlegroups.com
To unsubscribe from this group, send email to 
web2py+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to