Merge pull request #608 from samuelcolvin/master

change auth example to hash passwords

Merge pull request #608 from samuelcolvin/master
change auth example to hash passwords
e12ce6c1 · Serge S. Koval · 8d7b0a50 · 57d498f5 · e12ce6c1 · e12ce6c1
Commit e12ce6c1 authored Jul 31, 2014 by Serge S. Koval
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 3 deletions

auth.py examples/auth/auth.py +11 -2

index.html examples/auth/templates/admin/index.html +1 -1

No files found.
--- a/examples/auth/auth.py
+++ b/examples/auth/auth.py
@@ -5,6 +5,7 @@ from wtforms import form, fields, validators
 from flask.ext import admin, login
 from flask.ext.admin.contrib import sqla
 from flask.ext.admin import helpers, expose
+from werkzeug.security import generate_password_hash, check_password_hash
 # Create Flask application
@@ -59,7 +60,10 @@ class LoginForm(form.Form):
        if user is None:
            raise validators.ValidationError('Invalid user')
-        if user.password != self.password.data:
+        # we're comparing the plaintext pw with the the hash from the db
+        if not check_password_hash(user.password, self.password.data):
+        # to compare plain text passwords use
+        # if user.password != self.password.data:
            raise validators.ValidationError('Invalid password')
    def get_user(self):
@@ -125,6 +129,9 @@ class MyAdminIndexView(admin.AdminIndexView):
            user = User()
            form.populate_obj(user)
+            # we hash the users password to avoid saving it as plaintext in the db,
+            # remove to use plain text:
+            user.password = generate_password_hash(form.password.data)
            db.session.add(user)
            db.session.commit()
@@ -188,7 +195,9 @@ def build_sample_db():
        user.last_name = last_names[i]
        user.login = user.first_name.lower()
        user.email = user.login + "@example.com"
-        user.password = ''.join(random.choice(string.ascii_lowercase + string.digits) for i in range(10))
+        user.password = generate_password_hash(''.join(random.choice(string.ascii_lowercase + string.digits) for i in range(10)))
+        # passwords are hashed, to use plaintext passwords use:
+        # user.password = ''.join(random.choice(string.ascii_lowercase + string.digits) for i in range(10))
        db.session.add(user)
    db.session.commit()

--- a/examples/auth/templates/admin/index.html
+++ b/examples/auth/templates/admin/index.html
@@ -10,7 +10,7 @@
            Authentication
        </p>
        <p>
-            This example shows how you can use Flask-Login for authentication. It is only intended as a basic demonstration, so please don't freak out when you see passwords being stored as plain text.
+            This example shows how you can use Flask-Login for authentication. It is only intended as a basic demonstration.
        </p>
        {% else %}
        <form method="POST" action="">