发表新帖
发表新帖

How do I get the password in django?

前端 未结
关注
3 1715
别跟我提以往
别跟我提以往 2021-01-13 17:32

I have a python library which I wrote for something else. So I import that to use in Django, problem I am facing is how to get the password.

mycustom_lib_fun
相关标签:
3条回答
  • 一个人的身影
    2021-01-13 17:44

    Your function mycustom_lib_function should not be using a plaintext password. After a user authenticates with your application, you have a User object (from django.contrib.auth.models) that contains a hashed password:

    >>> user.username
u'myusername'
>>> user.password
u'sha1$98ffc$b5fd085b8bc1c05fd241dfc97230631926141fe7'

    The actual password typed into your form is not stored in plaintext, as standard web security advises you not to store plaintext values of passwords after authentication.
    Note that you could check the above hash by performing:

    >>> from hashlib import sha1
>>> password = 'weak_password'
>>> _, salt, hashpw = user.password.split('$')
>>> sha1(salt+password).hexdigest() == hashpw
True

    Now if your application wraps into another application that you do not control that needs a password to do certain actions, you can possibly consider storing their password in plaintext (or slightly better encrypting it), but django.contrib.auth will not do this for you. It would be better if you set up an OAuth type credential system, which does exactly this functionality without necessitating users reveal their password to the intermediate site.

    If its an application that you do control, I would drop the requirement for password to be passed to it.

    0 讨论(0)
  • 花落未央
    2021-01-13 17:59

    You technically can store the password as plain-text but its not right from a security stand poit, see this answer, it is highly not recommended! django.contrib.auth.hashers has some good tools to use for passwords, see the official Django docs.

    If you have an idea what the plain-text password could be, i.e. I have a globally stored default password in one of my applications that is stored in plain-text, as in the example below. To check if a user has their password set to the default one, you can use the check_password function that will return True if the plain-text matches the encoded password:

    from django.contrib.auth.hashers import check_password
from django.contrib.auth.models import User
u = User.objects.all().first()
if check_password('the default password', u.password):
    print 'user password matches default password'
else:
    print 'user a set custom password'

    Also see is_password_usable, and make_password functions.

    0 讨论(0)
  • 感动是毒
    2021-01-13 18:05

    The password in User is hashed, and so you cannot get it. Ask the user.

    0 讨论(0)
 看不清?
提交回复
热议问题