Comments (8)
miguelgrinberg
commented on June 10, 2024
The definition of what "password" means is up to the implementer, it does not necessarily need to be the unencrypted password selected by the user. You could return a hashed password from the get_password callback, and as long as the client applies the same hash function before submitting the password with the request things will work the same. Would that work?
from flask-httpauth.
cliffmcc
commented on June 10, 2024
I considered that. It could work, but it requires that matching hashes be calculated on the client in JS. By definition there should be nothing "secret" about the hashing algorithm, so this doesn't lower security itself, but it does mean you need hashing code in JS. However, it does lower the security-through-obscurity factor a bit, since this would make any user-specific salt publicly visible.
Overall, it would still be better to do all the hashing on the server side and send the plain password over SSL.
Not a real problem for me personally, just an observation I had while reading about this extension in your recent blog post. Nice post by the way.
from flask-httpauth.
miguelgrinberg
commented on June 10, 2024
I think I now understand what you are saying. What I'm missing is a callback that can optionally transform the password submitted by the client before it gets compared against the one returned by get_password. If I had that then the client sends the plain password, but the server applies the hashing function that matches what was applied prior to storing the password in the database.
Not a bad idea.
from flask-httpauth.
cliffmcc
commented on June 10, 2024
That's exactly what I was thinking. This would let the server provide arbitrary hashing algorithms. Thanks for considering it.
from flask-httpauth.
miguelgrinberg
commented on June 10, 2024
I've added a hash_password callback (only for basic auth).
from flask-httpauth.
lunayo
commented on June 10, 2024
Is it possible to get both username and password information in hash_password callback? I need username to retrieve password's salt in database before creating a hash_password for comparing. The hash_password format is probably similar to this sha(password+salt)
from flask-httpauth.
miguelgrinberg
commented on June 10, 2024
@lunayo Makes perfect sense. I'll look into that.
from flask-httpauth.
miguelgrinberg
commented on June 10, 2024
@lunayo: just pushed version 2.1.0 with this change. The hash password callback can now also take two arguments, username and password in that order.
from flask-httpauth.
Related Issues (20)
- Critical security issue when uploading files HOT 2
- How do I make HTTPDigestAuth not use cookies? HOT 2
- Token refresh HOT 1
- Unable to change user and password for authenticate HOT 6
- Digest Auth plain-text passwords HOT 4
- __version__ is gone HOT 4
- Is there any plan to support 'qop' option? HOT 5
- Optional use of @auth.login_required HOT 2
- Custom return response on unauthorized HOT 2
- user/pwd encoding is assumed (hardcoded) to be utf-8 HOT 5
- verify_token custom error based on verification outcome HOT 1
- Customized 401 page HOT 3
- Restrict endpoint to selected auth in MultiAuth HOT 2
- Role based authentication for MultiAuth HOT 2
- Token Auth Example won't run with with itsdangerous > 2.0 HOT 1
- Flask_httpauth installation not working with pip but worked with pip3 HOT 2
- Decorator verify_token not working with changes version werkzeug 2.3.0
- Token is `None` in containerized setup HOT 16
- make setting header configurable HOT 2
- Trailing '==' in a token breaks verify_token() HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from flask-httpauth.