-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
django 1.3 compatibility with dynamic hashers from 1.4 #16
Conversation
Hey @fwenzel can you take a look at this? |
@@ -63,7 +65,7 @@ def check_password(self, raw_password): | |||
Supports automatic upgrading to stronger hashes. | |||
""" | |||
hashed_with = self.password.split('$', 1)[0] | |||
if hashed_with in ['bcrypt', 'hh']: | |||
if hashed_with in ['bcrypt', 'hh'] or hashed_with in get_dynamic_hasher_names(settings.HMAC_KEYS): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line-break after the "or".
Sure, working on that now. |
@fwenzel : Corrected the pep8 issues and added a test. While doing the tests, I stumbled on a couple weird issues :
I think everything is all right now, but a second pair of eyes would be nice. |
} | ||
|
||
u = User.objects.get(username="john") | ||
django14_style_password = prefix + raw_hashes['john'] + suffix |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Chaining of "+" to concatenate text is frowned upon in Python. You want ''.join((my, tuple))
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
or '%s%s%s' % (my, other, tuple)
of course ;)
Good job, this looks good! Will you squash your commits into a single commit? ( |
…KEYS order in 1.4
Done ! The string concatenation is gone, all tests are passing and I rebased everything in one commit. |
You, sir, are a scholar and a gentleman. Thank you! |
django 1.3 compatibility with dynamic hashers from 1.4
If a project uses django_sha2 + django 1.4 + dynamic hashers generation as suggested in the README, and then goes back to 1.3, checking the password of any user whose password was "upgraded" to the new-style hashers fails.
If I understand the code correctly, this is because the hashers used for 1.4 support have different prefixes, one for each entry in HMAC_KEYS, which wasn't the case before. In check_password() monkeypatch, there is a check to see if django_sha2 should use its own bcrypt_auth.check_password() code but it only checks if the hasher is "bcrypt" or "hh", so it fails if any dynamic hasher was used.
This pull request makes the check_password() monkeypatch also check if the hasher is in the dynamic hashers list. I haven't included tests yet because I'm not sure this is the right solution at the moment and I'd prefer having feedback on the patch before working on some tests.