Python Forum
Thread Rating:
  • 3 Vote(s) - 2 Average
  • 1
  • 2
  • 3
  • 4
  • 5
bcrypt passwords failed [SOLVED]
#1
Hello, im new at python so im folowing a course wich is a little bit outdated, so i already have a database with an "author" table, and im encoding the password input when the author had register
with the following code

@app.route('/setup', methods=('GET', 'POST'))
def setup():
        error = ""
        form = SetUpForm()
        if form.validate_on_submit():
                salt = bcrypt.gensalt()
                hashed_password = bcrypt.hashpw(form.password.data.encode('utf8'), salt)  # noqa: E501
                author = Author(
                        form.fullname.data,
                        form.email.data,
                        form.username.data,
                        hashed_password,
                        True
                )
                db.session.add(author)
                db.session.flush()
                if author.id:
                        blog = Blog(
                                form.name.data,
                                author.id
                        )
                        db.session.add(blog)
                        db.session.flush()
                else:
                        db.session.rollblack()
                        error = "Error creating user"
                if author.id and blog.id:
                        db.session.commit()
                        flash(" Blog created ")
                        return redirect(url_for('admin'))
                else:
                        db.session.rollback()
                        error = "Error creating blog "  # noqa : F841
        return render_template('blog/setup.html', form=form)
so far evrything is correct, because if i use
SELECT * from author; i can see the record taht i just registered with an ecripted password
so the problem happens when i try to login with the following code

 

   @app.route('/login', methods=('GET', 'POST'))
def login():
        form = LoginForm()
        error = None
        if request.method == 'GET' and request.args.get('next'):
                session['next'] = request.args.get('next', None)

        if form.validate_on_submit():
                authors = Author.query.filter_by(
                        username=form.username.data,
                ).limit(1)
                if authors.count():
                        author = authors[0]
                        # encripta la contraseƱa del formulario, y la comprueba con lo que esta en la bd # noqa: E501
                        if bcrypt.hashpw(form.password.data.encode('utf8'), author.password.encode('utf8')) == author.password:  # noqa: E501
                                session['username'] = form.username.data
                                if 'next' in session:
                                        next = session.get('next')
                                        session.pop('next')
                                        return redirect(next)
                                else:
                                        return redirect(url_for('login_success'))  # noqa: E501
                                return redirect(url_for('login_success'))
                        else:
                                error = " incorrect password "
                else:
                        error = "Incorrect username and password "
        return render_template('author/login.html', form=form, error=error)

 
the code does not crash, but im reciving the "incorrect password" error, so seems like something is wrtong with this line
 if bcrypt.hashpw(form.password.data.encode('utf8'), author.password.encode('utf8')) == author.password:  # noqa: E501 
hope you can help me, tahanks a lot Big Grin




ps: im pretty sure that im introducing the correct password

[SOLVED] i just added .encode('utf8') to the author.password as well

  
if bcrypt.hashpw(form.password.data.encode('utf8'), author.password.encode('utf8')) == author.password.encode('utf8'):  # noqa: E501
looking for comments if that is the correct and secure way to do this :D
Reply
#2
That depends, what does bcyrpt.haspw() return? As long as you're storing the hashed password, it should be fine.

And thanks for letting us know what the issue was :)
Reply


Forum Jump:

User Panel Messages

Announcements
Announcement #1 8/1/2020
Announcement #2 8/2/2020
Announcement #3 8/6/2020