diff options
Diffstat (limited to 'mediagoblin/auth')
| -rw-r--r-- | mediagoblin/auth/__init__.py | 4 | ||||
| -rw-r--r-- | mediagoblin/auth/lib.py | 32 | ||||
| -rw-r--r-- | mediagoblin/auth/views.py | 2 |
3 files changed, 3 insertions, 35 deletions
diff --git a/mediagoblin/auth/__init__.py b/mediagoblin/auth/__init__.py index 2460c048..abb18d2d 100644 --- a/mediagoblin/auth/__init__.py +++ b/mediagoblin/auth/__init__.py @@ -16,8 +16,8 @@ from mediagoblin.tools.pluginapi import hook_handle -def check_login(user, login_form): - return hook_handle("auth_check_login", user, login_form) +def check_login(user, password): + return hook_handle("auth_check_login", user, password) def get_user(*args): diff --git a/mediagoblin/auth/lib.py b/mediagoblin/auth/lib.py index 6ce23f5b..1a9416fc 100644 --- a/mediagoblin/auth/lib.py +++ b/mediagoblin/auth/lib.py @@ -23,38 +23,6 @@ from mediagoblin.tools.template import render_template from mediagoblin import mg_globals -def bcrypt_check_password(raw_pass, stored_hash, extra_salt=None): - """ - Check to see if this password matches. - - Args: - - raw_pass: user submitted password to check for authenticity. - - stored_hash: The hash of the raw password (and possibly extra - salt) to check against - - extra_salt: (optional) If this password is with stored with a - non-database extra salt (probably in the config file) for extra - security, factor this into the check. - - Returns: - True or False depending on success. - """ - if extra_salt: - raw_pass = u"%s:%s" % (extra_salt, raw_pass) - - hashed_pass = bcrypt.hashpw(raw_pass.encode('utf-8'), stored_hash) - - # Reduce risk of timing attacks by hashing again with a random - # number (thx to zooko on this advice, which I hopefully - # incorporated right.) - # - # See also: - rand_salt = bcrypt.gensalt(5) - randplus_stored_hash = bcrypt.hashpw(stored_hash, rand_salt) - randplus_hashed_pass = bcrypt.hashpw(hashed_pass, rand_salt) - - return randplus_stored_hash == randplus_hashed_pass - - def bcrypt_gen_password_hash(raw_pass, extra_salt=None): """ Generate a salt for this new password. diff --git a/mediagoblin/auth/views.py b/mediagoblin/auth/views.py index 811bb157..b13efebc 100644 --- a/mediagoblin/auth/views.py +++ b/mediagoblin/auth/views.py @@ -105,7 +105,7 @@ def login(request): if login_form.validate(): user = auth.get_user(login_form) - if user and auth.check_login(user, login_form): + if user and auth.check_login(user, login_form.password.data): # set up login in session request.session['user_id'] = unicode(user.id) request.session.save() |