我正在尝试使用 Flask-Scrypt 创建一个基本的 Flask 登录页面,以将密码安全地存储在数据库中。
根据打印的调试: 正在尝试密码验证... 检查用户密码:admin 尝试的哈希密码:b'89ABrlAbxdOeLlup4L96Cv5sqsFL7xYmPNrS/fZ58Po40J4+zK8BqYZTt9Gqkm+/+fRKs/etPSTyJHfeRlFLg==' 存储的哈希密码:89ABrlAbxdOeLlup4L96Cv5sqsFL7xYmPNrS/fZ58Po40J4+zK8BqYZTt9Gqkm+/+fRKs/etPSTyJHfeRlFLg== 无效的密码 渲染login.html...
这是 models.py:
# app/models.py
from . import db
from flask_scrypt import generate_random_salt, generate_password_hash, check_password_hash
import os
import base64
class User(db.Model):
__tablename__ = 'users'
userID = db.Column('userID', db.Integer, primary_key=True)
username = db.Column('username', db.String(50), unique=True, nullable=False)
password_hash = db.Column('password_hash', db.String(200), nullable=False)
salt = db.Column('salt', db.String(200), nullable=False)
def __init__(self, username, password):
self.username = username
self.set_password(password)
def set_password(self, password):
self.salt = generate_random_salt()
print("Salt before hashing:", self.salt) # Debugging
password_bytes = password.encode('utf-8')
self.password_hash = generate_password_hash(password_bytes + self.salt, salt=self.salt)
def check_password(self, password):
print("Checking password for user:", self.username)
password_bytes = password.encode('utf-8')
salt_bytes = self.salt.encode('utf-8')
hashed_password_attempt = generate_password_hash(password_bytes + salt_bytes, salt=salt_bytes)
print("Hashed password from attempt:", hashed_password_attempt) # Debugging
print("Stored hashed password:", self.password_hash) # Debugging
return check_password_hash(self.password_hash, password_bytes, salt=salt_bytes)
这是routes.py
from flask import Blueprint, render_template, redirect, url_for, flash
from flask_login import login_user
from .forms import LoginForm
from .models import User
from . import db
auth = Blueprint("auth", __name__)
main = Blueprint("main", __name__)
admin = Blueprint("admin", __name__)
@auth.route("/login", methods=['GET', 'POST'])
def login():
form = LoginForm()
if form.validate_on_submit():
# Retrieve user record from the database based on the provided username
user = User.query.filter_by(username=form.username.data).first()
print("User:", user) # Debugging: Print user to check if retrieved
if user:
# Verify the password
print("Attempting password verification...") # Debugging: Check password verification attempt
if user.check_password(form.password.data):
# Password matches, authentication successful
print("Password verified. Logging in...") # Debugging: Indicate successful password verification
login_user(user)
return redirect(url_for('admin.admin_panel'))
else:
# Password doesn't match, render login page with error message
print("Invalid password") # Debugging: Indicate invalid password
flash('Invalid username or password', 'error')
else:
# User not found, render login page with error message
print("User not found") # Debugging: Indicate user not found
flash('Invalid username or password', 'error')
# If GET request or form validation failed, render the login page
print("Rendering login.html...") # Debugging: Indicate rendering of login.html
return render_template('login.html', form=form)
@main.route("/")
def index():
return render_template("index.html")
@admin.route("/admin")
def admin_panel():
return render_template("admin.html")
它正在 mysql 数据库中查找详细信息,并根据调试找到正确的密码哈希,但将其记录为无效。
我尝试了 check_password 函数的多种变体
我认为你把散列密码和普通密码放在了不正确的地方,它应该像这样。
对于功能
check_password_hash(plain_password, hash_password, salt)
应该
plain_password
hash_password
存储在第二个参数的数据库中salt
存储在第三个参数的数据库中。应该是这样的
return check_password_hash(password_bytes, self.password_hash, salt=salt_bytes)
第二件事,你不需要再次将生成的哈希密码与该盐连接起来,它已经混合了密码。
hashed = generate_password_hash(plain, salt) # -> already mixed with the salt
但是你在写什么
hashed = generate_password_hash(plain + salt, salt) # this is double salt
你可以像这样简单化
self.password_hash = generate_password_hash(password_bytes, salt=self.salt)
还有你