# HG changeset patch # User Filip de Waard # Date 1271350648 -7200 # Node ID 2f37a51682319d2a4038843408fcc3a9272fcbc1 # Parent cb72253f5be42e0ffdd121c0bb7c89f150a35fb1 changed bcrypt library from Bcryptor to py-bcrypt diff -r cb72253f5be42e0ffdd121c0bb7c89f150a35fb1 -r 2f37a51682319d2a4038843408fcc3a9272fcbc1 setup.py --- a/setup.py Sat Apr 10 11:19:40 2010 +0200 +++ b/setup.py Thu Apr 15 18:57:28 2010 +0200 @@ -16,7 +16,7 @@ install_requires=[ "Pylons>=0.9.7", "CouchDB", - "bcryptor" + "bcrypt" ], setup_requires=["PasteScript>=1.6.3"], packages=find_packages(exclude=['ez_setup']), diff -r cb72253f5be42e0ffdd121c0bb7c89f150a35fb1 -r 2f37a51682319d2a4038843408fcc3a9272fcbc1 vix/lib/auth.py --- a/vix/lib/auth.py Sat Apr 10 11:19:40 2010 +0200 +++ b/vix/lib/auth.py Thu Apr 15 18:57:28 2010 +0200 @@ -19,11 +19,9 @@ """ -import bcryptor +import bcrypt import vix.model as model -bcrypt = bcryptor.Bcrypt() - def authenticate(user, password): """Authenticates a username and password combination. @@ -40,7 +38,9 @@ if isinstance(user, basestring): user = model.User.load(model.db, user) - if user is not None and bcrypt.valid(password, user.password): + if user == None: + return False + elif bcrypt.hashpw(password, user.password) == user.password: return True else: return False diff -r cb72253f5be42e0ffdd121c0bb7c89f150a35fb1 -r 2f37a51682319d2a4038843408fcc3a9272fcbc1 vix/tests/test_auth.py --- a/vix/tests/test_auth.py Sat Apr 10 11:19:40 2010 +0200 +++ b/vix/tests/test_auth.py Thu Apr 15 18:57:28 2010 +0200 @@ -19,6 +19,7 @@ from unittest import TestCase +import bcrypt import couchdb import vix.tests @@ -30,7 +31,7 @@ def test_authenticate(self): """Test if users are authenticated properly.""" - p = auth.bcrypt.create(u'123') + p = bcrypt.hashpw(u'123', bcrypt.gensalt()) user = model.User(username=u"fmw", password=p) user.store(model.db) @@ -48,7 +49,7 @@ #TODO: add checks for doc_id and admin related functionality - p = auth.bcrypt.create(u'123') + p = bcrypt.hashpw(u'123', bcrypt.gensalt()) perm = {'GET': True, 'POST': True, 'PUT': True, 'DELETE': False} user = model.User(username=u"fmw", password=p) diff -r cb72253f5be42e0ffdd121c0bb7c89f150a35fb1 -r 2f37a51682319d2a4038843408fcc3a9272fcbc1 vix/tests/test_models.py --- a/vix/tests/test_models.py Sat Apr 10 11:19:40 2010 +0200 +++ b/vix/tests/test_models.py Thu Apr 15 18:57:28 2010 +0200 @@ -23,7 +23,7 @@ from datetime import datetime import couchdb -import bcryptor +import bcrypt import vix.tests import vix.model as model @@ -94,12 +94,15 @@ invalid_usernames = [u'f', u'fóò', u'fo-o', u'"foo', u"fo'o", u'o'*31] - bcrypt = bcryptor.Bcrypt() valid_passwords = [] + + #don't do this in actual application code! + #salts should be unique for every password + salt = bcrypt.gensalt() #generate some bcrypt hashes: for i in range(5): - valid_passwords.append(bcrypt.create(str(i))) + valid_passwords.append(bcrypt.hashpw(str(i), salt)) invalid_passwords = [u'password', '$2a$hi$zovtWSOSm0PTsiuovPOxC.uEJxsEzVf0AlswKvgT/jtxMqf44.Kpi', @@ -129,7 +132,7 @@ self.assertRaises(ValueError, user.validate) #see what happens when no username is supplied - user = model.User(password=bcrypt.create(u'123')) + user = model.User(password=bcrypt.hashpw(u'123', salt)) self.assertRaises(ValueError, user.validate) #and without password: @@ -137,7 +140,8 @@ self.assertRaises(ValueError, user.validate) #test wrong type - user = model.User(username=u'fmw', password=bcrypt.create(u'123'), + user = model.User(username=u'fmw', + password=bcrypt.hashpw( u'123', salt), type='not_a_user') self.assertRaises(ValueError, user.validate) @@ -146,7 +150,8 @@ self.assertRaises(ValueError, user.store, model.db) #test if a model.User object loaded from the database still validates - user = model.User(username=u'fmw', password=bcrypt.create(u'123')) + user = model.User(username=u'fmw', + password=bcrypt.hashpw(u'123', salt)) user.store(model.db) user = model.User.load(model.db, u'fmw')