use None instead of False to designate validity with auth plugins

plone · Nov 23, 2016 · aeadaef · aeadaef
1 parent 1cae5aa
commit aeadaef
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 9 deletions.
diff --git a/src/plone.server/plone/server/auth/__init__.py b/src/plone.server/plone/server/auth/__init__.py
@@ -24,5 +24,5 @@ async def find_user(request, token):
     for identifier in app_settings['auth_user_identifiers']:
         identifier = resolve_or_get(identifier)
         user = await identifier(request).get_user(token)
-        if user:
+        if user is not None:
             return user
diff --git a/src/plone.server/plone/server/auth/validators.py b/src/plone.server/plone/server/auth/validators.py
@@ -14,7 +14,7 @@ def __init__(self, request):
         self.request = request
 
 
-def hash_password(password, salt=None):
+def hash_password(password, salt=None, algorithm='sha512'):
     if salt is None:
         salt = uuid.uuid4().hex
 
@@ -24,8 +24,9 @@ def hash_password(password, salt=None):
     if isinstance(password, str):
         password = password.encode('utf-8')
 
-    hashed_password = hashlib.sha512(password + salt).hexdigest()
-    return '{}:{}'.format(salt.decode('utf-8'), hashed_password)
+    hash_func = getattr(hashlib, algorithm)
+    hashed_password = hash_func(password + salt).hexdigest()
+    return '{}:{}:{}'.format(algorithm, salt.decode('utf-8'), hashed_password)
 
 
 class SaltedHashPasswordValidator(object):
@@ -40,9 +41,13 @@ async def validate(self, token):
         if (not user_pw or
                 ':' not in user_pw or
                 'token' not in token):
+            return
+        split = user.password.split(':')
+        if len(split) != 3:
             return False
-        salt = user.password.split(':')[0]
-        if not strings_differ(hash_password(token['token'], salt), user_pw):
+        algorithm = split[0]
+        salt = split[1]
+        if not strings_differ(hash_password(token['token'], salt, algorithm), user_pw):
             return user
 
 
@@ -54,11 +59,11 @@ def __init__(self, request):
 
     async def validate(self, token):
         if token.get('type') != 'bearer':
-            return False
+            return
 
         if '.' not in token.get('token', ''):
             # quick way to check if actually might be jwt
-            return False
+            return
 
         try:
             validated_jwt = jwt.decode(
@@ -72,4 +77,4 @@ async def validate(self, token):
         except jwt.exceptions.DecodeError:
             pass
 
-        return False
+        return