I am using admin-SDK of firebase in python
I have created a new user using the following code
user = auth.create_user(
email=email,
email_verified=False,
password=password,
display_name=name,
disabled=False)
now I have created a function that takes name , _email id _ and password from the user and fetch user using it's email id and then checks if entered details are correct.
def check_user(self, name, email, password): # fixme compare password
user = auth.get_user_by_email(email)
if user.display_name == name and user.email == email:# add password comparision
print('successful login')
return True
else:
print('username or password incorrect')
return False
I want to compare password entered with the password stored, but I am unable to compare as I can't access password, I can only access passwordHash using user.passwordHash and passwordSalt using user.passwordSalt.
is there any away I can find passwordHash or passwordSalt of password so I can compare the hashes.
The usual flow when using Firebase Authentication is that your users sign in with client-side code that uses a Firebase SDK directly. So in that case,
Firebase itself would be performing the check whether the password is correct.
You can perform the check yourself, but you'll have to hash the plaintext password from the user in your code and then compare the stored and calculated hash values, essentially duplicating what Firebase already does. Firebase uses a modified version of scrypt to encrypt the passwords.
There's a library called pyrebase. You can use it to mimic client in server. Simply use sign_in_with_email_and_password(email, password) once you initiate the pyrebase object.
GitHub url: https://github.com/thisbejim/Pyrebase
Firebase Admin SDK for python do not provide a way to compare password. However, there is a solution to confirm user authenticity.
This might be helpful https://stackoverflow.com/a/71398321/9681645
Related
In Odoo 11 I could retrieve the hashed password from password_crypt field in res_users table, but this doesn't work in Odoo 13 any more.
I used the Odoo 11 credentials to login to other applications, which can't be integrated in Odoo. This authentication stopped working as the password seems to be write only. Now I'm looking for a way to get read access to the Odoo password, any clue how to do that using the API?
I use the following python test code, but password field is empty:
import xmlrpclib
common = xmlrpclib.ServerProxy('{}/xmlrpc/2/common'.format(url))
uid = common.authenticate(db, username, password, {})
models = xmlrpclib.ServerProxy('{}/xmlrpc/2/object'.format(url))
user = models.execute_kw(db, uid, password,
'res.users', 'search_read',
[[['id', '=', 2]]],
{})[0]
print user
Any idea how to read the write only hashed password?
Since the read() method is overridden on res.users to exclude some fields, such as the password field, I would (not*) recommend to create a method on the res.users that does a SQL read like so:
def read_password(self):
self.ensure_one()
self.env.cr.execute("SELECT password FROM res_users WHERE id=%s", self.id)
*Disclaimer: There is a reason that Odoo hides the password field, so here you are essentially bypassing Odoo's security. You will need to make triple sure that this method is 100% secure. Some ideas:
Add a check for the correct API key
Only allow a certain user to execute this method
Only allow a certain IP source to execute this method
I am using python jira module. Now when the user enters the jira username and password, it is authenticated using JIRA(option,basic_auth = (username,password)).
How do I keep asking for the username or password if entered one is incorrect?
I don't know much about the jira library,but funcmedtly,this is what it should look like:
username,passwd=input().split()
while not is_correct(username,passwd):
username,passwd=input().split()
# .. Do something with username and passwd ..
My Django app password in database looks like this:
pbkdf2_sha256$100000$XXXXXXXXXX$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
But if I duplicate it to another user, I could log in to that user's account.
Assuming a database breach or some kind of injection, can I detect if password was somehow duplicated/copied so that I can deny access to the account or alert admins?
as Selcuk says if some one has access to write into your database, he/she can do anything like generate password as your system want.
but you can make it harder to change password.
if you want to deny password copy from database you must create your own user model and update hashing algorithm like this.
first create a user model:
from django.contrib.auth.hashers import make_password, check_password
class MyUser(User):
def set_password(self, raw_password):
self.password = make_password(self.username + raw_password)
self._password = raw_password
def check_password(raw_password):
def setter(raw_password):
self.set_password(raw_password)
self._password = None
self.save(update_fields=['password'])
return check_password(self.username + raw_password, self.password. setter)
by these changes user password hashes are contain username and copy hash for other user does not works correctly
I am working on openedx(works on django) and i need to create an api to register the user coming from a particular site, i am being given a hashed password not a normal one and i need to save it as so.
The problem here is that the openedx's registration function hashes the password that is being passed into it.
so is there a way in django to store a password/register a user without hashing the password.
Should i go for updating the user's credentials directly using
raw()
any help would be appreciated, thanks.
I would suggest to override method set set_password in user_model.
class MyUser(AbstractBaseUser):
# if you need to hash passwords for some users.
is_password_hashed = models.BooleanField(default=True)
...
def set_password(self, raw_password):
if self.is_password_hashed:
super(MyUser, self).set_password(raw_password)
else:
self.password = raw_password
If you want to store only non-hashed passwords:
class MyUser(AbstractBaseUser):
...
def set_password(self, raw_password):
self.password = raw_password
Or even override default user model set_password method.
It's as simple as:
from django.contrib.auth.models import User
User.objects.filter(username="myuser").update(password=hashed_password)
(remember passwords are stored as hashed values in the database)
The Open edX manage_user management command was recently updated to support this use case when creating a new user.
Example:
./manage.py lms --settings=devstack manage_user jane jane#example.com --initial-password-hash 'pbkdf2_sha256$20000$mRxYkenyBiH6$yIk8aZYmWisW2voX5qP+cAr+i7R/IrZoohGsRK2fy4E='
However, that command requires a very recent version of Open edX and it will not have any effect if the user account already exists.
As an alternative, you could set up SSO between the external app and Open edX using OAuth2, in which case there's no need for Open edX to store any password at all.
My Django application uses the Rest Framework JWT for authentication. It works great and very elegant.
However, I have a use-case which I am struggling to build. I have already coded up a working solution for the "Forgot Password" workflow. I allow an un-authenticated user to reset their password if-and-only-if they click on a secret link that I send to their email address. However, I would like to modify this solution such that after the password-reset workflow is successfully completed, the user is automatically logged in without having to retype their username and (new) password. I would like to do this to make the user's experience as frictionless as possible.
The problem is I do not know how to make this work without having the user re-type their password (or storing it in clear-text in the DB which is obviously very bad). Below is the current way I get the JWT token. You can see that in line #12, I need the user's clear password. I don't have it. I only have the encrypted password stored in my_user.password.
How can I use the encrypted password in my_user.password instead of the clear password to obtain the JWT? If I cannot use it, then how is this workflow achieved using the Rest Framework JWT?
from rest_framework_jwt.views import ObtainJSONWebToken
from rest_framework status
from django.contrib.auth.models import User
my_user = User.objects.get(pk=1)
ojwt = ObtainJSONWebToken()
if "_mutable" in dir(request.DATA):
mutable = request.DATA._mutable
request.DATA._mutable = True
request.DATA['username'] = my_user.username
request.DATA['password'] = "<my_user's clear password>"
if "_mutable" in dir(request.DATA):
request.DATA._mutable = mutable
token_response = ojwt.post(request)
if status.is_success(token_response.status_code):
# Tell the user login succeeded!!
else:
# Tell the user login failed.
# But hopefully, this shouldn't happen
When working with Django REST Framework JWT, it is typically expected that the user is generating the token on their own. Because you are generating the token on behalf of the user, you can't use any of the standard views to make it work.
You are going to need to generate the token on your own, similar to how DRF JWT does it in the views. This means using something like the following for your view code
from rest_framework_jwt.settings import api_settings
from datetime import datetime
jwt_payload_handler = api_settings.JWT_PAYLOAD_HANDLER
jwt_encode_handler = api_settings.JWT_ENCODE_HANDLER
my_user = User.objects.get(pk=1) # replace with your existing logic
payload = jwt_payload_handler(my_user)
# Include original issued at time for a brand new token,
# to allow token refresh
if api_settings.JWT_ALLOW_REFRESH:
payload['orig_iat'] = timegm(
datetime.utcnow().utctimetuple()
)
return {
'token': jwt_encode_handler(payload)
}
This should allow you to manually generate the token within the view, without having to know the user's password.