Hi, I tested using a custom login_onvalidation method:
auth.settings.login_onvalidation = PHPBBDECRYPT() Using this method I get the form and I can manipulate it's variables prior to returning the form, however as far as I can see I would be expected to return the hashed value that will later be compared with the hashed value in the database: if temp_user[passfield] == form.vars.get(passfield, ''): Unfortunately this solution will not work for me as I get a different hash every time I call the hash password function for the same plaintext password. What I need to do is use a special function called check password which uses some bcrypt magic to verify that a given plaintext password corresponds to a given hash. Is there somewhere outside of the Auth class where I can put code which compares the stored hash in the database with the submitted plaintext password in order to validate the user by returning True or False? Thanks, John On Dec 14, 4:37 pm, greenguerilla <johngerardoconn...@gmail.com> wrote: > Hi Anthony, > > Thank you for your reply. I will investigate these options and will > let the group know how I get on. > > Cheers, > > John > > On Dec 13, 5:22 pm, Anthony <abasta...@gmail.com> wrote: > > > > > > > > > On Tuesday, December 13, 2011 10:50:15 AM UTC-5, greenguerilla wrote: > > > > Hi, > > > > I have also been trying to migrate existing user accounts fromphpbb > > > to a web2py system. > > > The below solution works well for registering new users, however in > > > order to successfully validate these passwords during the login > > > process > > > I made some changes to the framework itself: > > > > I have added into gluon/tools.py at line 1753 (latest stable version > > > of web2py) at the end of the 'user is > > > in db' clause of the login method of the Auth class. > > > > if self.phpbb_checkpw(temp_user[passfield], request.vars[passfield]): > > > user = temp_user > > > > This phpbb_checkpw function returns True or False depending on whether > > > or not the plaintext passwords (from form) matches the stored hash. > > > This is an awkward way to do things and I am wondering if there are > > > any hooks I can avail of in order to validate a user entered plaintext > > > password against the stored hash and thus keep my custom code outside > > > of the framework? > > > As suggested earlier, can you just create a custom validator for the > > password field that hashes it, so it will match the stored hash? > > > Another option is using auth.settings.login_onvalidation, which is a > > function that takes the login form (and can manipulate the form vars) right > > after validation (but before the rest of the login logic). > > > Anthony
