Re: [web2py] Re: basic auth with custom get_or_create_user call

Tue, 22 Nov 2011 10:08:48 -0800 

On Tue, Nov 22, 2011 at 9:21 AM, Massimo Di Pierro
<massimo.dipie...@gmail.com> wrote:
> must be hashed
Hmm I can't seem to get this working. I should probably have mentioned
that we are using basic auth to use this user on the client side. When
I hash the password and insert it into the database it is not hashing
the password passed in from basic login. Does this mean that we should
be changing the "basic" method to hash the password that it finds
there also? like this:

        (username, password) = base64.b64decode(basic[6:]).split(':')
        password = db.auth_user.password.validate(str(uuid.uuid4()))[0]
        return self.login_bare(username, password)

Just to be clear, I'll reiterate what we're trying to do here.

A temporary user is created in the system with a uuid username and
uuid password like this:
        settings["serverUser"] = str(uuid.uuid4())
        settings["serverPassword"] =
db.auth_user.password.validate(str(uuid.uuid4()))[0]
        user = auth.get_or_create_user(dict(username=settings["serverUser"],
password=settings["serverPassword"]))

then, on the client side, we are using curl to call a restful action
on the server using this login info, like this:
        curl https://localhost:2345/some/rest/verb -u "<serverUser
from above>:<serverPassword from above>"

and its still redirecting. I can confirm that the passwords passed in
to login_bare are the same until this is called:
        password = table_user[passfield].validate(password)[0]


>
> settings["serverPassword"] =
> db.auth_user.password.validate(str(uuid.uuid4()))[0]
>
> On Nov 22, 8:19 am, Matt Broadstone <mbroa...@gmail.com> wrote:
>> Hello,
>> In our project we need to create a temporary user for the web2py app
>> so that a remote system can send back a singe status update. In order
>> to do this, when the command is sent out we create a temporary user
>> like this:
>>
>>         settings["serverUser"] = str(uuid.uuid4())
>>         settings["serverPassword"] = str(uuid.uuid4())
>>         user = auth.get_or_create_user(dict(username=settings["serverUser"],
>> password=settings["serverPassword"]))
>>
>> This adds the user/password to the database just fine, however, login
>> fails because of this line in login_bare:
>> password = table_user[passfield].validate(password)[0]
>>
>> if I remove this line, the password is as expected, which leads me to
>> think that we are not adding the password in the first case properly.
>> Does it need to be hashed some way?
>>
>> Matt
>

Reply via email to