I am trying to create a basic flask login page using Flask-Scrypt to store the password securely in the database.
Based on the debugging it prints: Attempting password verification... Checking password for user: admin Hashed password from attempt: b'89ABrlAbxdOeLlup4L96Cv5sqsFL7xYmPNrS/fZ58Po40J4+zK8BqYZTt9Gqkm+/+fRKs/etPSTyJHfeRlFLg==' Stored hashed password: 89ABrlAbxdOeLlup4L96Cv5sqsFL7xYmPNrS/fZ58Po40J4+zK8BqYZTt9Gqkm+/+fRKs/etPSTyJHfeRlFLg== Invalid password Rendering login.html...
Here is the models.py:
# app/models.py
from . import db
from flask_scrypt import generate_random_salt, generate_password_hash, check_password_hash
import os
import base64
class User(db.Model):
__tablename__ = 'users'
userID = db.Column('userID', db.Integer, primary_key=True)
username = db.Column('username', db.String(50), unique=True, nullable=False)
password_hash = db.Column('password_hash', db.String(200), nullable=False)
salt = db.Column('salt', db.String(200), nullable=False)
def __init__(self, username, password):
self.username = username
self.set_password(password)
def set_password(self, password):
self.salt = generate_random_salt()
print("Salt before hashing:", self.salt) # Debugging
password_bytes = password.encode('utf-8')
self.password_hash = generate_password_hash(password_bytes + self.salt, salt=self.salt)
def check_password(self, password):
print("Checking password for user:", self.username)
password_bytes = password.encode('utf-8')
salt_bytes = self.salt.encode('utf-8')
hashed_password_attempt = generate_password_hash(password_bytes + salt_bytes, salt=salt_bytes)
print("Hashed password from attempt:", hashed_password_attempt) # Debugging
print("Stored hashed password:", self.password_hash) # Debugging
return check_password_hash(self.password_hash, password_bytes, salt=salt_bytes)
And here is the routes.py
from flask import Blueprint, render_template, redirect, url_for, flash
from flask_login import login_user
from .forms import LoginForm
from .models import User
from . import db
auth = Blueprint("auth", __name__)
main = Blueprint("main", __name__)
admin = Blueprint("admin", __name__)
@auth.route("/login", methods=['GET', 'POST'])
def login():
form = LoginForm()
if form.validate_on_submit():
# Retrieve user record from the database based on the provided username
user = User.query.filter_by(username=form.username.data).first()
print("User:", user) # Debugging: Print user to check if retrieved
if user:
# Verify the password
print("Attempting password verification...") # Debugging: Check password verification attempt
if user.check_password(form.password.data):
# Password matches, authentication successful
print("Password verified. Logging in...") # Debugging: Indicate successful password verification
login_user(user)
return redirect(url_for('admin.admin_panel'))
else:
# Password doesn't match, render login page with error message
print("Invalid password") # Debugging: Indicate invalid password
flash('Invalid username or password', 'error')
else:
# User not found, render login page with error message
print("User not found") # Debugging: Indicate user not found
flash('Invalid username or password', 'error')
# If GET request or form validation failed, render the login page
print("Rendering login.html...") # Debugging: Indicate rendering of login.html
return render_template('login.html', form=form)
@main.route("/")
def index():
return render_template("index.html")
@admin.route("/admin")
def admin_panel():
return render_template("admin.html")
it is looking up the details in a mysql database, and based on the debugging it is finding the correct password hash, but logging this as invalid.
I have tried a number of variations in the check_password function
I think you put hashed and plain password in incorrect place, it should like this.
from flask_scrypt import (
generate_random_salt,
generate_password_hash,
check_password_hash,
)
def save_password(password: str) -> tuple[str, str]:
password_salt = generate_random_salt()
password_hash = generate_password_hash(password, password_salt)
return password_salt, password_hash.decode()
def validate_password(plain_password: str, salt: str, hash_password: bytes) -> bool:
return check_password_hash(plain_password, hash_password, salt)
if __name__ == "__main__":
user_password = "very_secret_password"
salt_gen, hash_pass = save_password(user_password)
is_valid = validate_password(user_password, salt_gen, hash_pass.encode())
print(is_valid) # this value is supposed to true
For function check_password_hash(plain_password, hash_password, salt)
it should
plain_password
in the 1st argumenthash_password
that is stored in db in 2nd argumentsalt
that is stored in db on 3rd argument.It should be like this
return check_password_hash(password_bytes, self.password_hash, salt=salt_bytes)
And the second thing, you don't need to concat generated hash password with that salt again, it's already mixed the password.
hashed = generate_password_hash(plain, salt) # -> already mixed with the salt
But what is you writing instead
hashed = generate_password_hash(plain + salt, salt) # this is double salt
You can make it simple like this
self.password_hash = generate_password_hash(password_bytes, salt=self.salt)