python flask-security:加密错误“无法识别哈希”

时间:2013-01-28 13:18:04

标签: python flask

我在Flask项目中使用Flask-Security。基本上一切正常,直到我尝试打开密码加密。基本上我遵循了这个:http://packages.python.org/Flask-Security/configuration.html 这导致我添加了这个:

app.config['SECURITY_PASSWORD_HASH'] = 'bcrypt'
app.config['SECURITY_PASSWORD_SALT'] = '$2a$16$PnnIgfMwkOjGX4SkHqSOPO'

遗憾的是,这会导致错误:

File "/home/geoadmin/.virtualenvs/flask/lib/python2.7/site-packages/flask/app.py", line 1701, in __call__
return self.wsgi_app(environ, start_response)
File "/home/geoadmin/.virtualenvs/flask/lib/python2.7/site-packages/flask/app.py", line 1689, in wsgi_app
response = self.make_response(self.handle_exception(e))
File "/home/geoadmin/.virtualenvs/flask/lib/python2.7/site-packages/flask/app.py", line 1687, in wsgi_app
response = self.full_dispatch_request()
File "/home/geoadmin/.virtualenvs/flask/lib/python2.7/site-packages/flask/app.py", line 1360, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/home/geoadmin/.virtualenvs/flask/lib/python2.7/site-packages/flask/app.py", line 1358, in full_dispatch_request
rv = self.dispatch_request()
File "/home/geoadmin/.virtualenvs/flask/lib/python2.7/site-packages/flask/app.py", line 1344, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/home/geoadmin/.virtualenvs/flask/lib/python2.7/site-packages/flask_security/decorators.py", line 171, in wrapper
return f(*args, **kwargs)
File "/home/geoadmin/.virtualenvs/flask/lib/python2.7/site-packages/flask_security/views.py", line 72, in login
if form.validate_on_submit():
File "/home/geoadmin/.virtualenvs/flask/lib/python2.7/site-packages/flask_wtf/form.py", line 123, in validate_on_submit
return self.is_submitted() and self.validate()
File "/home/geoadmin/.virtualenvs/flask/lib/python2.7/site-packages/flask_security/forms.py", line 165, in validate
if not verify_password(self.password.data, self.user.password):
File "/home/geoadmin/.virtualenvs/flask/lib/python2.7/site-packages/flask_security/utils.py", line 84, in verify_password
return _pwd_context.verify(get_hmac(password), password_hash)
File "/home/geoadmin/.virtualenvs/flask/lib/python2.7/site-packages/passlib/context.py", line 2534, in verify
record = self._get_or_identify_record(hash, scheme, category)
File "/home/geoadmin/.virtualenvs/flask/lib/python2.7/site-packages/passlib/context.py", line 2258, in _get_or_identify_record
return self._identify_record(hash, category)
File "/home/geoadmin/.virtualenvs/flask/lib/python2.7/site-packages/passlib/context.py", line 1455, in identify_record
raise ValueError("hash could not be identified")
ValueError: hash could not be identified

我对发生的事情毫无头绪。我以为我生成了一个很好的bcrypt哈希,但网站上没有真正的密码加密示例,错误本身让我困惑:/

使用的软件: - Ubuntu 12.04LTS - Python 2.7.2 - FLask 0.9 - Flask-Security 1.5.4 - 通过MongoAlchemy在MongoDB 2.2上运行

感谢您的帮助!!

编辑:感谢Bikeshedder,这可能是罪魁祸首:

# Create a user to test with
@app.before_first_request
def create_user():
    user_datastore.create_user(email='test@test.net', password='testerdetest')

我假设create_user方法会自动加密密码。但显然它没有...文档在这里并不是很清楚:

Class flask_security.datastore.MongoEngineUserDatastore(db, user_model, role_model)
A MongoEngine datastore implementation for Flask-Security that assumes the use of the Flask-MongoEngine extension.
create_user(**kwargs)
Creates and returns a new user from the given parameters.

编辑2:进一步研究BikeShedder的建议,我将标准用户创建改为:

# Create a user to test with
@app.before_first_request
def create_user():
    user_datastore.create_user(email='test@test.net', password=bcrypt.hashpw('testerdetest', app.config['SECURITY_PASSWORD_SALT'])

这样就解决了这个错误,但它给了我一个“无效的密码”,这意味着flask-security做了一些与我加密时不同的事情...... argh!

编辑3:从bcrypt更改为passlib(flask-security也使用)

app.config['SECURITY_PASSWORD_SALT'] = '/2aX16zPnnIgfMwkOjGX4S'

user_datastore.create_user(email='test@test.net', password=passlib.hash.bcrypt.encrypt('testerdetest', salt=app.config['SECURITY_PASSWORD_SALT']))

仍然无效pw :( 如果我查看https://github.com/mattupstate/flask-security/blob/develop/flask_security/utils.py处的源代码,它似乎只使用sha512加密...我不明白文档...

编辑5:解决了(感谢你让我朝着正确的方向前进!) flask.ext.security.utils.encrypt_password()完成了这个伎俩。但是,我仍然怀疑它是否真的是bcrypt,但好吧,它至少是加密的......

3 个答案:

答案 0 :(得分:10)

我有同样的问题,我用以下方法解决:

from flask.ext.security.utils import encrypt_password
user_datastore.create_user(email='test@test.fr', password=encrypt_password('password'))

优点是我们可以选择我们想要的SECURITY_PASSWORD_HASH和SECURITY_PASSWORD_SALT值。

答案 1 :(得分:3)

由于您没有解释何时发生此错误,我必须猜测它在尝试登录时会发生。

如果是这种情况,则表示存储在DB中的密码格式错误。它可能仍然是纯文本,Flask-Security无法找出正在使用的散列算法。

解决此问题的最简单方法是重置用户的密码。

答案 2 :(得分:1)

旧问题,但来自developer ...

的明确答案
  

这完全取决于您如何向数据库添加用户。如果你已经设定   SECURITY_REGISTERABLE = True,仅通过。添加用户   内置注册表,那你就没事了。如果您要添加   用户通过任何其他方式必须使用加密密码   保存用户记录之前的flask_security.utils.encrypt_password   你的数据库。

from flask.ext.security.utils import encrypt_password
db.create_user(email='test@test.com', password=encrypt_password('password'))