On Sep 20, 2009, at 12:34 PM, waTR wrote:
>
> @Jonathan:
> I looked at that code a lot yesterday, before I posted. The thing is,
> that code doesn't really show how it compares the values.
>
> The if temp_user[passfield] == form.vars.get(passfield, '') doesn't
> make sense to me. temp_user[passfield] should return the hash held in
> the db password field. The form.vars.get(passfield, '') should return
> the non-hash password entered into the form. Where does the
> translation occure from the Form to the hash stored in the db?
It happens in the IS_CRYPT() validation, which returns the hashed
value of the field.
>
> The above code doesn't show that translation...
>
>
>
>
>
> On Sep 18, 5:08 pm, Jonathan Lundell <jlund...@pobox.com> wrote:
>> On Sep 18, 2009, at 4:44 PM, waTR wrote:
>>
>>
>>
>>> I need to be able to compare another password submitted against the
>>> one in that field. How would I go about doing that? What functions
>>> are
>>> available in web2py for this.
>>
>>> db.define_table('pass',
>>> SQLField("password", 'password', readable=False, label='Password',
>>> requires=CRYPT()))
>>
>>> I.e. I have just submitted a form that contains a
>>> request.get_vars.password
>>> how do I compare that password against the one in db.
>>
>> Here's the central code in Auth.login:
>>
>> users = self.db(table_user[username] == form.vars
>> [username]).select()
>> if users:
>> # user in db, check if registration pending or
>> disabled
>> temp_user = users[0]
>>
>> ...
>>
>> if not user:
>> # alternates have failed, maybe because
>> service inaccessible
>> if self.settings.login_methods[0] == self:
>> # try logging in locally using cached
>> credentials
>> if temp_user[passfield] == form.vars.get
>> (passfield, ''):
>> # success
>> user = temp_user
>>
>> The values being compared are hashes, because the field in question
>> requires IS_CRYPT(), which really doesn't do anything but hash the
>> value.
>>
>>
>>
>>> On Sep 18, 1:34 pm, Jonathan Lundell <jlund...@pobox.com> wrote:
>>>> On Sep 18, 2009, at 1:06 PM, waTR wrote:
>>
>>>>> Related question though... how can one check if password entered
>>>>> matches password stored in DB for that user? When I retrieve the
>>>>> stored password via select(), it is encrypted. How does Auth
>>>>> decrypt?
>>>>> Where can I find that code (what file)?
>>
>>>> Briefly, you don't decrypt the stored password. Actually, you
>>>> can't,
>>>> because it's not encrypted; it's hashed.
>>
>>>> You check it by hashing the login password and comparing the
>>>> hashes.
> >
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To post to this group, send email to web2py@googlegroups.com
To unsubscribe from this group, send email to
web2py+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---
