How to encrypt password using Python Flask-Security using bcrypt?
Solution 1
Instead of storing the password you can use python's native decorators to store a hashed version of the password instead and make the password unreadable for security purposes, like this:
class User(db.Model, UserMixin):
id = db.Column(db.Integer, primary_key=True)
email = db.Column(db.String(255), unique=True)
password_hash = db.Column(db.String(128))
@property
def password(self):
raise AttributeError('password not readable')
@password.setter
def password(self, password):
self.password_hash = bcrypt.hashpw('password', bcrypt.gensalt()))
# or whatever other hashing function you like.
You should add a verify password function inline with the bcrypt technolgy you implement:
def verify_password(self, password)
return some_check_hash_func(self.password_hash, password)
Then you can create a user with the usual:
User(email='[email protected]', password='abc')
and your Database should be populated with a hashed password_hash
instead of a password
attribute.
Solution 2
You're right, create_user()
doesn't hash the password. It is a lower-level method. If you are able to use registerable.register_user()
instead, then it will hash the password for you. But if you would like to use create_user()
directly, then just encrypt the password before calling it:
from flask import request
from flask_security.utils import encrypt_password
@bp.route('/register/', methods=['GET', 'POST'])
@anonymous_user_required
def register():
form = ExtendedRegistrationForm(request.form)
if form.validate_on_submit():
form_data = form.to_dict()
form_data['password'] = encrypt_password(form_data['password'])
user = security.datastore.create_user(**form_data)
security.datastore.commit()
# etc.
I wouldn't recommend overriding the password hashing on the User object, since Flask-Security uses the SECURITY_PASSWORD_HASH
setting to store the password hashing algorithm. (It defaults to bcrypt
, so you don't need to set this explicitly if you don't want to.) Flask-Security uses HMAC to salt the password, in addition to the SECURITY_PASSWORD_SALT
which you provide, so just hashing the password using e.g. passlib with bcrypt won't result in a hash that Flask-Security will correctly match. You might be able to side-step this by cutting Flask-Security out of the loop and doing all password creation and comparison tasks yourself… but what's the point? You're using a security library, let it do security for you. They've already fixed the bugs you're bound to run into.
Related videos on Youtube
Johnny John Boy
Updated on June 04, 2022Comments
-
Johnny John Boy almost 2 years
I'm trying to utlise the standard basic example in the docs for Flask-Security and have made it work except for the password being stored in plaintext.
I know this line:
user_datastore.create_user(email='[email protected]', password='password')
I could change to:
user_datastore.create_user(email='[email protected]', password=bcrypt.hashpw('password', bcrypt.gensalt()))
But I thought Flask-Security took care of the (double?) salted encryption and if I add the app.config['SECURITY_REGISTERABLE'] = True and go to /register the database this time IS encrypted correctly.
I know I am missing something simple but don't quite understand where..
from flask import Flask, render_template from flask_sqlalchemy import SQLAlchemy from flask_security import Security, SQLAlchemyUserDatastore, UserMixin, RoleMixin, login_required import bcrypt # Create app app = Flask(__name__) app.config['DEBUG'] = True app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False app.config['SECRET_KEY'] = 'super-secret' app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///login.db' app.config['SECURITY_PASSWORD_HASH'] = 'bcrypt' app.config['SECURITY_PASSWORD_SALT'] = b'$2b$12$wqKlYjmOfXPghx3FuC3Pu.' # Create database connection object db = SQLAlchemy(app) # Define models roles_users = db.Table('roles_users', db.Column('user_id', db.Integer(), db.ForeignKey('user.id')), db.Column('role_id', db.Integer(), db.ForeignKey('role.id'))) class Role(db.Model, RoleMixin): id = db.Column(db.Integer(), primary_key=True) name = db.Column(db.String(80), unique=True) description = db.Column(db.String(255)) class User(db.Model, UserMixin): id = db.Column(db.Integer, primary_key=True) email = db.Column(db.String(255), unique=True) password = db.Column(db.String(255)) active = db.Column(db.Boolean()) confirmed_at = db.Column(db.DateTime()) roles = db.relationship('Role', secondary=roles_users, backref=db.backref('users', lazy='dynamic')) # Setup Flask-Security user_datastore = SQLAlchemyUserDatastore(db, User, Role) security = Security(app, user_datastore) # Create a user to test with @app.before_first_request def create_user(): try: db.create_all() user_datastore.create_user(email='[email protected]', password='password') db.session.commit() except: db.session.rollback() print("User created already...") # Views @app.route('/') @login_required def home(): return render_template('index.html') if __name__ == '__main__': app.run()