Hi Anthony,
Many thanks. Just to check - option 1 would have to be done in the web2py
codebase (i.e. outside of the application code)? I don't think there's any
simple way of overriding the version of simple_hash imported from
gluon.utils that LazyCrypt() calls.
Both the other options can be done in a model file, I think.
Cheers,
David
On Friday, 27 May 2016 05:51:40 UTC+1, Anthony wrote:
>
> Aside from forking the framework, I suppose you could take one of these
> approaches:
>
> 1. Monkey patch gluon.utils.simple_hash.
> 2. Subclass validators.CRYPT and validators.LazyCrypt, and in
> LazyCrypt, replace the __str__ method with one that calls a custom
> simple_hash function.
> 3. Create an entirely new custom hashing validator that replicates the
> algorithm used by the other app.
>
> Anthony
>
> On Thursday, May 26, 2016 at 1:19:35 PM UTC-4, David Orme wrote:
>>
>> Hello,
>>
>> I've got an application where I'm sharing a database with a second (non
>> web2py) framework. I want my web2py application to handle user registration
>> and would like to avoid users having two passwords (partly so that only
>> web2py ever writes to the auth_user table).
>>
>> Inevitably, the hashed password storage formats differ, but I can match
>> the hash algorithm between the two frameworks:
>>
>> db.auth_user.password.requires = CRYPT(digest_alg='sha512')
>>
>> Then I can just calculate the value of a second hashed password field in
>> the foreign format - it involves recoding the string as base64, not hex,
>> but that can be achieved using a computed field.
>>
>> def alt_password(r):
>> passwd = r.password.split('$')
>> alt = base64.b64encode(passwd[1].decode('hex')) + \
>> '*' + base64.b64encode(passwd[2].decode('hex'))
>> return alt
>>
>>
>> auth.settings.extra_fields['auth_user']= [
>> Field('alt_password', compute=lambda r: alt_password(r))
>> ]
>>
>>
>>
>> *Except...* the simple_hash function in web2py uses (password + salt) as
>> an input and the second framework uses (salt + password), which means there
>> is no way to reproduce the second format from the stored hashed password. I
>> can hack the web2py utils.py file on my installation to reverse this but I
>> wanted to check if there was a more elegant way of overloading the
>> simple_hash function without having to change the codebase, which makes my
>> application unstable to upgrade.
>>
>> I did wonder about extending the settings to include a salt order, but I
>> think that would mean you'd have to extend the password string to record
>> the order: alg$order$salt$hash. That seems like a bit of a big change for a
>> fairly fringe use case!
>>
>>
>>
>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
