authenticate function in django using hashed passw

2019-07-24 04:40发布

I am working on openedx(which runs on django) and the user will be redirected here from other site and i'm being given the hashed password from there. Authenticate(username,password) excepts raw password like "dragon" not the hashed one,

So I need to use the authenticate() with the hashed password so that I can get the ".backend" attribute and move on with my life.

When I use login(request,user) without the authenticate method. this error appears:

request.session[BACKEND_SESSION_KEY] = user.backend
AttributeError: 'User' object has no attribute 'backend'

So I need to use the authenticate function to get that .backend attribute in my user object.

user = authenticate(username=username, password=password) is the format of the authenticate function, the password here is a raw password like "abc", what I have is a hashed password (which is the way this "abc" password will be stored in db).

I am stuck now, is there a way to authenticate and login using hashed passwords in django?

2条回答
劫难
2楼-- · 2019-07-24 04:57

Open edX uses the ratelimitbackend.backends.RateLimitModelBackend for authentication, as we can see in the settings. This backend requires the un-hashed password for authentication.

If you wish to authenticate a user based on its hashed password, you need to create a new authentication backend, as described in the django documentation.

I suggest you draw some inspiration from the Django ModelBackend, as implemented in django.contrib.auth.backends.

The error you see relative to the missing backend attribute is something that I have experienced before. In the impersonate_user view of FUN (an Open edX project) this is how we solve this problem (note the comment inside the source code of the view function):

user = get_object_or_404(User, username=username, is_superuser=False, is_active=True)
user.backend = None
login(request, user)
查看更多
趁早两清
3楼-- · 2019-07-24 05:17

You can create a custom authentication backend for django and override its authenticate and get_user method to authenticate using hashed password and username.

Since hashed password is just another modelfield with text in it, you can lookup for users with username and the hash pass value in db.

Something like this should work:

from django.contrib.auth.backends import ModelBackend
from django.contrib.auth.models import User

class HashedPasswordAuthBackend(ModelBackend):

    def authenticate(self, username=None, password=None):
        try:
            return User.objects.get(username=username, password=password)
        except User.DoesNotExist:
            return None

    def get_user(self, user_id):
        try:
            return User.objects.get(pk=user_id)
        except User.DoesNotExist:
            return None

After that, Include the path of this auth backend in your project settings.

AUTHENTICATION_BACKENDS = [
    'django.contrib.auth.backends.ModelBackend',
    'yourapp.backends.HashedPasswordAuthBackend',
]
查看更多
登录 后发表回答