Hello I am a developper of a django project and I have to check that my dev is okay.
To do this, I have to connect myself as a user but I have just his email not his password. I found in the table User this the email and the password but the password begins by this : pbkdf2_sha256 ...
So I guess the password is encrypted. Is there a way easier to do this ?
Thank you for your help !
Depending on how the passwords are hashed while new users are created, you could just replace the user's hash with another one :
Go in database and copy the passwordHash of the user you would like to log with
Store this hash somewhere (you will need it to revert the change)
Copy the hash of another user (a user for whom you know the password)
Paste the hash of this user in place of the hash of the user you want to log in
If the hashs are generated the same way, you will be able to log with the other user's password.
Then when you are done, revert the changes in database.
Hope it helps.
Passwords in django are one way encrypted so it cannot be decrypted hence there is no way of finding the actual password of any user from the user table in database.
If you want to login on another user's behalf without having to know their password then you can write some complicated code to achieve that, or use a third party package.
django-hijack looks like a good one. Its docs has good explaination on how to use it so I am not going to go through that here. If you don't like this package you can see the list of packages for this purpose here on djangopackages and choose the one you like.
django-hijack usage:
Complete the Installation and After Installation steps first.
Make a post request to /hijack/<user_id> where <user_id> is the column id of table user. If you have not updated the field id on model user it will be 1, 2, 3, .... So the url will be similar to /hijack/1/
Make a post request to /hijack/username/<username> if you want to hijack by username. eg. /hijack/username/awesome_username/
Make a post request to /hijack/email/<user email>/ if you want to hijack by email of user. eg. /hijack/email/awesome#email.com/
After making a post request to one of these urls as superuser you will be redirected to the specified HIJACK_LOGIN_REDIRECT_URL in settings.py
I am not sure if django-hijack will work on python 3 or newer versions of Django. If it doesn't works try out django-impersonate which provides the same functionality in a similar way and officially supports python 3.6+ and django 1.11+
Related
I would like that every time a user changes the password, it is also changed on firebase. The main problem is that the passwords taken from the wordpress database are hashed, while the auth.update_users command takes the raw password.
Obviously I'm not aware of the password in raw format...
What can I do?
i had try it:
...
users = auth.get_user_by_email('user1#gmail.com')
print('Successfully email fetched user data: {0}'.format(users.uid))
user = auth.update_user(
uid=users.uid,
password='$P$BOCNIc5Nw1e9fwm8HaLBChsd7eE4Hh1'
)
print('Sucessfully updated user: {0}'.format(user.uid))
There's nothing you can reasonably do here with the hash. The whole purpose of storing hashes (and hopefully salts) is to make it unfeasible to brute force revert password hashes to their cleartext password. If you could do that, so could any malicious user that gets access to the database of hashes.
If you want to send the cleartext password to two providers, you'll have to capture it at the source (so when the user enters it in the web app) and then send it to both providers.
I am very new to Django rest framework. I am building APIs for my mobile application.
In forgot password module, I have the below flow
Ask user to enter mobile
check existence
If exists - > send OTP
Verify and let user create a new password.
But in this case, I would like to know the way of handle the below situation.
When one user requests otp and waiting for it to verify, meanwhile another user requests for OTP
At this time, how to handle the both users?
I thought of
creating the dictionary and save the user id as key and otp as value in views.py to verify particular user.
store the otp temporarily until it verifies.
Which is the secured way and any alternative for this kind of scenario?
You should create a table look like this:
===== UserOTP =====
user: foreign-key to user
code: CharField, random generated code here (or token)
create_date: auto-fill created datetime
used_date: nullable datetime field
Then on each password reset request create a row on this table, send generated code to user via SMS or Email,
And then on another end-point receive the code from user and check it (for expiration and used before, belongs to this user and etc.) then continue password reset process.
There is a better way to do this, since otp are for temporary use, there is no use case for storing them in database, we can use hashlib.blake2s(b'otp', key=b'secretkey').hexdigest() to generate a hashed string and send it to user and then accept the same hashstring in the otp verification request and check for truthy of hashstring generated from user shared otp, this is oneway to handle otp verification.
The hashlibs blake2s accepts only bytestring, and you can also use any other hashing algorithm for this purpose. I am also open to ideas if there are any better ways to do this, please update in comments.
Using sessions would be better choice as it works for both django and djangorestframework.
I've created a bunch of users in one directory (directory_A). now, I'm going to switch to another directory(directory_B).
How can migrate all users from directory_A to directory_B without knowing their passwords.
I saw this script
https://github.com/stormpath/stormpath-migrate/blob/master/migrate/migrators/account.py
but It only works if I know the user password.
any suggestions?
I work at Stormpath. You can email support#stormpath.com to have them send over an encrypted export of all of the hashed user passwords for your tenant. If you do so, please send over your tenant name, tenant owner's email address, mobile phone number and mobile carrier (eg Verizon, T-Mobile, etc).
You can also 'copy' your users over without passwords by providing an empty passwords.json file to the migration script. Accounts will be created in the destination directory with random passwords, so you'll then need to issue password resets on those accounts so that your users can log in.
Edit: The migration script as written copies all Stormpath resources from one tenant into another, so you'll need to edit it if you only want a single Directory and the accounts inside of it copied over. If you don't want to do that, you can use the migration script as is and delete the resources that were copied over that you don't want.
I apologize if there has been a substantial answer on this already, I have searched for quite a while and can't find any helpful answers.
I have a django project that has varying levels of account access. I have a group of 'Managers' and I want to allow them to manage user accounts.
I want the Managers to be able to create the user account objects for the users. However, I don't want them to have to deal with creating their passwords and sending them to the users (for obvious reasons). This way, managers can impersonate users to get work done on their behalf, and users maintain password control and ownership of their data.
The idea is that managers create the account, and when the account is created Users will be sent a password reset form (same as django's out-of-box auth) which will allow them to set their passwords.
My code looks similar to below (omitted non-imperative stuff)
from django.contrib.auth.models import User
from django.contrib.auth.forms import PasswordResetForm
#manager_required
def manager_add_users(request):
add_user_form = manager_add_user_form(request.POST)
new_user_name = add_user_form.cleaned_data['user_name']
new_user_email = add_user_form.cleaned_data['user_email']
new_user = User.objects.create_user(
username = new_user_name,
email = new_user_email,
)
new_user.save()
set_password_form = PasswordResetForm({'email': new_user.email })
if set_password_form.is_valid():
print 'Reset Form Is Valid'
set_password_form.save(
request= request,
use_https=True,
from_email="support#org.com",
email_template_name='registration/password_reset_email.html')
The account creates properly and everything runs without error. The issue is that although the form is valid (reset form is valid statement prints) it is not actually sending the reset form. There are no form errors.
However, in testing when I initialize the form with an address that already exists in the system like this:
set_password_form = PasswordResetForm({'email':'existing_address#example.com'})
The password reset form sends without error. So it only works with existing user email addresses in the system, but although the user has been created and the .save() method called, it's still not catching it (The users are marked as 'Active' upon creation, so they should be able to be found)
I'm a bit at a loss. I can think of a few ways that I could get around this issue, but this seems the most direct way of doing it and I'm really not entirely sure why it doesn't work.
Yes, I am able to send messages. I am using django's backend mail for testing:
EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
Glancing at the source code, it looks like Django is ignoring the request because the password is blank.
Try setting a temporary password (using, say, django.utils.crypto.get_random_string()) before saving the user.
I have a client app that interacts with a web service to retrieve account information. There's a requirement that the user is notified if they mistyped the username/password. I'm modifying the web service to return something to my client to provide a hint to the user that there's an error in input.
How do I correctly implement the "username/password" not found for a web service using Python?
Do I tell the user that the username exists, but the password is incorrect?
Do I tell the user that there is no such username, but the password matched something?
Do I show a generic username/password combination is not found?
Do I use different status codes for different situations or provide a JSON payload with the error?
here's my code so far:
from flask.ext.httpauth import HTTPBasicAuth
accounts = [
["user0", "password0"],
["user1", "password1"],
]
#app.route('/accountlist')
#auth.login_required
def accountlist()
username = auth.username();
if ... : #check if accounts does not have the given username
#notify the sender that there is no such username
return Response('Not Authorized', 401, {'WWW-Authenticate': 'Basic'})
else:
#proceed to check password and retrieve/return account information
Do I show a generic username/password combination is not found?
Yes. Why do you think this is "generic"? Because it is the standard. This is the correct way because than a hacker can't go phishing for usernames.
Do I tell the user that the username exists, but the password is incorrect?
No, letting the user know that the username is correct is a user enumeration vulnerability. You are letting an attacker know which usernames are valid allowing them to narrow their target range. This would be useful if they later decided to try a brute force attack as they already know the usernames are correct and now they only need a working password.
Do I tell the user that there is no such username, but the password matched something?
Definitely not. This would mean that the attacker now had a valid password and could use any other username enumeration vulnerability on your site in order to try and find a valid username. Another common username enumeration location is the forgotten password form - many sites report back that there is no such username allowing an attacker to refine their list. Alternatively, they could use this password and brute force a username from it which may be a much easier job as usernames shouldn't benefit from being complex.
As an aside to this, you should be storing your passwords salted and hashed using a secure, slow algorithm such as bcrypt. This should mean it is not possible for you to practically check to see if any password matches the one entered.
Do I show a generic username/password combination is not found?
Yes!
Do I use different status codes for different situations or provide a JSON payload with the error?
Your JSON could return true or false to let the calling JavaScript know whether authentication was successful. If you ever develop any brute force protection, this should be accomplished by introducing a delay in the response rather than hard locking accounts. Hard locking accounts leads to a DoS attack as an attacker can lock out a valid account by repeatedly using the wrong password on purpose. For this reason, only a true/false response is really needed to let the user know if they were successful. Even if the account was hard locked, I would return false but include in the message that the user should contact technical support if they believe they should have access with the password provided.
You don't mention what kind of data you're serving but if you're working in financial or health care data: make it so either the user can log in or they cannot, you shouldn't endeavor to give them any information as to why.
If you want you can tell them that the username is incorrect but you cannot suggest other usernames. And, of course, you cannot give any information about what might be wrong with the password, just tell them that it's incorrect.
About the code you presented, I realize you didn't really ask for coding advice, still, I do tons of code reviews and consistently see the same issues over-and-over with these roll-your-own authentication schemes. If your code is ever audited the auditor will likely find the following issues:
You must never hardcode passwords.
You must never persist a password in cleartext, always use an irreversible hash (SHA-1 or greater) when a password is received and only work with the hash value
Your applicatoon should 'fail-closed', meaning set up the accountList() function to return a 'not authorized' prior to the if statement and prior to calling any functions that would throw an exception (like a database access). Make the auth check in the if statemnt. That way if something fails in the things that the if statement calls (say an exception in data access or file i/o) the user fails to log in.