You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Feb 22, 2024. It is now read-only.
I disabled the Flask-Security registration form, and use my previous registration form, here is how I store the password based on user submitted form data:
...
hashed_password = bcrypt.generate_password_hash(form.password.data).decode('utf-8')
user = User(username=form.username.data,email=form.email.data, password=hashed_password)
db.session.add(user)
...
However, when try to login by using Flask-Security built-in login form, it says invalid password,
then I checked the documentation, I found it might be related to the HMAC idea here,
is it possible that somehow I generate the hashed password by Flask-Bcrypt and finally can be accepted by Flask-Security login backend? I have very limited cryptography knowledge and stuck this for whole night : (
or the mentioned flask_security.utils.encrypt_password in #143 is still available and also the only way to manage this?
Thank you!
The text was updated successfully, but these errors were encountered:
The answer is yes: use encrypt_password. This will ensure that the hashed password you store at registration uses the same salt + HMAC method Flask-Security uses to hash the password at login. So your users will actually be able to sign in!
jasco
pushed a commit
to jasco/flask-security
that referenced
this issue
Oct 3, 2023
- no longer send a new token upon receiving an expired token
- no longer auto-login on successful reset password (backwards compat config variable added)
- no longer send identity/email information as part of query params in unauthenticated requests
- add Referrer-Policy="no-referrer" as suggested by OWASP
Minor improvements to API doc.
closespallets-eco#281
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi
I disabled the Flask-Security registration form, and use my previous registration form, here is how I store the password based on user submitted form data:
However, when try to login by using Flask-Security built-in login form, it says invalid password,
then I checked the documentation, I found it might be related to the HMAC idea here,
is it possible that somehow I generate the hashed password by Flask-Bcrypt and finally can be accepted by Flask-Security login backend? I have very limited cryptography knowledge and stuck this for whole night : (
or the mentioned
flask_security.utils.encrypt_password
in #143 is still available and also the only way to manage this?Thank you!
The text was updated successfully, but these errors were encountered: