Flask中没有哈希密码

Question

I don't know why the password is not hashing using Bcrypt. I think I am doing it right. I initilized Bcrypt correctly and I am using mongoengine. Everytime I look at the database it still shows the unencrypyed passwrod in text.

users/models.py

from app import db, bcrypt
class User(db.Document):

    username = db.StringField(required=True)
    first_name = db.StringField(required=True)
    last_name = db.StringField(required=True)
    email = db.EmailField(required=True)
    password = db.StringField(required=True)

    meta = {'collection': 'users'}

    @property
    def hash_password(self):
        return self.password

    @hash_password.setter
    def set_hash_password(self, password):
        self.password = bcrypt.generate_password_hash(password)

    def verify_password(self, password):
        return bcrypt.check_password_hash(self.password, password)

users/views.py

@userV.route('/signup', methods=['GET', 'POST'])
def signup():
    form = SignUpForm()

    if form.validate_on_submit():
        user = User(
            first_name=form.first_name.data,
            last_name=form.last_name.data,
            username=form.username.data,
            email=form.email.data,
            password=form.password.data
        ).save()

        flash('You can now login')
        return render_template('user.html', variable="You can now login " + user.username)

    return render_template('signup.html', form=form)

users/auth/forms.py

class SignUpForm(Form):
    username = StringField('Username', validators=[
        InputRequired(message="Username is required"),
        Regexp('^[A-Za-z][A-Za-z0-9_]*[A-Za-z0-9]$', 0, 'Usernames must have only letters, numbers or underscores')
    ])
    first_name = StringField('First Name', validators=[
        InputRequired(message="First name is required")
    ])
    last_name = StringField('Last Name', validators=[
        InputRequired(message="Last name is required")
    ])
    email = StringField('Email Address', validators=[
        InputRequired(message="Email is required"),
        Email(message="This is not a valid email")
    ])
    password = PasswordField('Password', validators=[
        InputRequired(message="Password is required"),
        Length(min=6, message="The password is not long enough")
    ])
    accept_tos = BooleanField('Accept Terms of Service', validators=[
        InputRequired(message="You have to accept the Terms of Service in order to use this site")
    ])
    submit = SubmitField('Signup')

    def validate(self):
        if not Form.validate(self):
            return False

        if User.objects(username=self.username.data).first():
            raise ValidationError('Username already in use')

        if User.objects(email=self.email.data).first():
            raise ValidationError('Email already registered')

        return True

This is the outcome when I search mongodb shell. The password is not hashed.

{ "_id" : ObjectId("555df97deddd5543c360888a"), "username" : "FullMetal", "first_name" : "Edward", "last_name" : "Elric", "email" : "fullmetalalchemist@gmail.com", "password" : "equalexchange" }

Answer 1

The property is called hash_password not password . I don't see where hash_password is getting assigned (that's when its setter gets called). Also your setter method should have exactly the same name as the property itself, in this case hash_password not ( set_hash_password ). You can then do

user = User(hash_password=form.password.data)

Unfortunately, due to the way mongoengine.Document.__init__ works, you wont be able to use your field this way. You have two options to make it work:

Option 1: First create the User object without the password, then set the hash_password, then save

user = User(first_name=form.first_name.data,
            last_name=form.last_name.data,
            username=form.username.data,
            email=form.email.data)
user.hash_password = form.password.data
user.save()

Option 2: Requires overriding the __init__ method for User

class User(db.Document):
    def __init__(self, *args, **kwargs):
        if 'hash_password' in kwargs:
            self.hash_password = kwargs.pop('hash_password')
        super(User, self).__init__(*args, **kwargs)

Now you can use User as you initially wanted:

user = User(first_name=form.first_name.data, hash_password=form.password.data)

Answer 2

Python @property decorator doesn't work with old-style classes. I made this demo - note the class inheriting from object , which makes it a new-style class. Have a look and modify this to suit your need

class User(object):

    def __init__(self, username, first_name, last_name, email, password):
        print "Initializing"
        self.username = username
        self.first_name = first_name
        self.last_name = last_name
        self.email = email
        self.password = password

    @property
    def password(self):
        print "getting password"
        return self._password

    @password.setter
    def password(self, password):
        print "Setting password"
        self._password = bcrypt.generate_password_hash(password)

    def verify_password(self, password):
        return bcrypt.check_password_hash(self.password, password)

As I mentioned earlier, if all else fails, I'd solve this by performing the logic in my view. That's what I'd have done in the first place, tbh. Python favors expressiveness. I have omitted the other parts

user = User(password=bcrypt.generate_password_hash(form.password.data))

And just removing the @property setter and getter in the User class.

Answer 3

Here is what I do in the same circumstances:

class User(db.Document):
    ...
    password = db.StringField(max_length=255, required=True)

    ...
    def set_password(self, password):
        self.password = bcrypt.generate_password_hash(password)
    ...

Then, in views.py I do the following:

user = User(..)
user.set_password(form.password.data)
user.save()

This way your logic stays within your model, but can be called easily from outside.