[SQLObject] passwords hashed using pgcrypto (in the database)
SQLObject is a Python ORM.
Brought to you by:
ianbicking,
phd
From: Tomas V. <tv...@fu...> - 2012-12-30 20:59:12
|
Hi, I'm learning SQLObject - checking if we could use it on our projects, and I got stuck at hashing passwords inside the database. Imagine a simple table with info about users: CREATE TABLE users ( id INT PRIMARY KEY, login TEXT NOT NULL UNIQUE, pwdhash TEXT NOT NULL ) where "pwdhash" is a hashed password. We're using PostgreSQL and we usually handle this inside the database using a pgcrypto module, that provides various hash/crypto functions. An insert into the table then looks like this INSERT INTO users VALUES (1, 'login', crypt('mypassword', gen_salt('bf'))) which generates a salt, computes the hash and stores that into a single text column (salt+hash). The authentication then looks like this: SELECT id, login FROM users WHERE login = 'login' AND pwdhash = crypt('mypassword', pwdhash) which reuses the salt stored in the column. I'm investigating if we could do this with SQLObject, but it seems to me the answer is 'no'. I see it's possible to define magic attributes, but that's not enough as I need to rewrite the SQL (to add the calls to the crypt/gen_salt functions). I've done similar evaluations with SQLAlchemy and it supports 'hybrid values' and 'type decorators' to do this. Is it possible to do something similar in SQLObject or do I have to move the functionality to the application level? regards Tomas |