I have a Django application that allows web visitors to create there own accounts. Once they create an account with a passwords, they should receive and email containing activation code. When a web-visitor creates a new account, they need to receive an activation email containing a unique key.
Obviously, I can do all this using Django's built-in authentication system. I've done it before without any problems. However, in this application, I don't want to pollute my Users table with inactive users. I only want activated users to appear in the Users table. So although I will use Django's account system for authenticating activated users, until they become activated, I'm rolling my own system. I'm keeping all the data about not-yet-activated users in a separate Django Model object (called UserActivation
). And I will be managing the sending of the activation email myself.
The problem I'm having is that I don't want to store the user-submitted password in Plain text. I want to store it in my UserActivation object in a field called "password" in the same hashed-format it would appear in the User table. To put it into the user object, I would have done myUser.set_password("plainTextPassword")
. How can I get this same value and stuff it into UserActivation.password
?
From looking at this doc, it seems that there is a make_password()
function that returns the value that I need. But I still need a User object to call that method. How can I conver "plainTextPassword"
to hashed password without going through the User object?
Django provides a flexible password storage system and uses PBKDF2 by default. Those are the components used for storing a User's password, separated by the dollar-sign character and consist of: the hashing algorithm, the number of algorithm iterations (work factor), the random salt, and the resulting password hash.
This user object will store the password as plain text. Django doesn't automatically converts the text to hashed value instead if you dig deeper you'll find a method called make_password or there's a method in AbstractUser , set_password which basically converts the string to hash value.
Decrypt Password: Django doesn't provide any built-in library or function to decrypt the encrypted password. As decrypting a password is never a good idea. Instead of decrypting the hash password, we compare the hash password with the plaintext password and check whether they are equivalent to the hash password or not.
The accepted answer was helpful to me - I just wanted to add the check_password call (for people like me, who haven't used this functionality before)
from django.contrib.auth.hashers import make_password, check_password
hashed_pwd = make_password("plain_text")
check_password("plain_text",hashed_pwd) # returns True
You are on the right track. However you can manage the password manually using
from django.contrib.auth.hashers import make_password
print "Hashed password is:", make_password("plain_text")
Hasher configuration will be driven by PASSWORD_HASHERS which should be common for both the auth system and your UserActivation model. However you can pass it in make_password
method also.
PASSWORD_HASHERS = (
'myproject.hashers.MyPBKDF2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
'django.contrib.auth.hashers.BCryptPasswordHasher',
'django.contrib.auth.hashers.SHA1PasswordHasher',
'django.contrib.auth.hashers.MD5PasswordHasher',
'django.contrib.auth.hashers.CryptPasswordHasher',
)
Hope this helps.
Read this link for more details: https://docs.djangoproject.com/en/dev/topics/auth/passwords/
I solved it recently by doing the following steps:
from .models import Client
from django.contrib.auth.hashers import make_password
from .forms import ClientForm
form = ClientForm(request.POST)
if form.is_valid():
first_name = form.cleaned_data['first_name']
family_name = form.cleaned_data['family_name']
password = make_password(form.cleaned_data['password'])
phone = form.cleaned_data['phone']
user = Client(first_name=first_name, family_name=family_name, password=password, phone=phone)
user.save()
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With