2 files changed, 6 insertions, 4 deletions

diff --git a/mediagoblin/auth/lib.py b/mediagoblin/auth/lib.py
index 1136a252..ddb58fe6 100644
--- a/mediagoblin/auth/lib.py
+++ b/mediagoblin/auth/lib.py
@@ -42,7 +42,7 @@ def bcrypt_check_password(raw_pass, stored_hash, extra_salt=None):
     if extra_salt:
         raw_pass = u"%s:%s" % (extra_salt, raw_pass)
 
-    hashed_pass = bcrypt.hashpw(raw_pass, stored_hash)
+    hashed_pass = bcrypt.hashpw(raw_pass.encode('utf-8'), stored_hash)
 
     # Reduce risk of timing attacks by hashing again with a random
     # number (thx to zooko on this advice, which I hopefully
@@ -68,7 +68,8 @@ def bcrypt_gen_password_hash(raw_pass, extra_salt=None):
     if extra_salt:
         raw_pass = u"%s:%s" % (extra_salt, raw_pass)
 
-    return unicode(bcrypt.hashpw(raw_pass, bcrypt.gensalt()))
+    return unicode(
+        bcrypt.hashpw(raw_pass.encode('utf-8'), bcrypt.gensalt()))
 
 
 def fake_login_attempt():
diff --git a/mediagoblin/auth/views.py b/mediagoblin/auth/views.py
index e18469b9..71a5f379 100644
--- a/mediagoblin/auth/views.py
+++ b/mediagoblin/auth/views.py
@@ -120,7 +120,7 @@ def login(request):
     login_failed = False
 
     if request.method == 'POST' and login_form.validate():
-        user = request.db.User.one(
+        user = request.db.User.find_one(
             {'username': request.POST['username'].lower()})
 
         if user and user.check_login(request.POST['password']):
@@ -236,7 +236,8 @@ def forgot_password(request):
 
     Sends an email with an url to renew forgotten password
     """
-    fp_form = auth_forms.ForgotPassForm(request.POST)
+    fp_form = auth_forms.ForgotPassForm(request.POST,
+                                        username=request.GET.get('username'))
 
     if request.method == 'POST' and fp_form.validate():