I am using Python and MySql to handle user authentication. I have added the users thru python with the exact same method, but when I try to do the "login"/authentication it does not match.
This is my code for authentication:
# Collecting data from users.
username=data['username']
password=data['password']
cur=mysql.connection.cursor()
# Checks if username exists.
check_username = cur.execute("SELECT * FROM `users` WHERE `username`=%s",[username])
if check_username > 0:
# Retrieves the correct salt of the user.
cur.execute("SELECT `salt` FROM `users` WHERE `username`=%s",[username])
get_salt = cur.fetchone()
# Generates the hashed password of the user.
hashed_password=(hashlib.sha256((str(password[0:2]) str(get_salt[0]) str(password[2:])).encode('utf-8')).hexdigest()).lower()
# Retrieves the hashed password of the user from the database.
cur.execute("SELECT `password` FROM `users` WHERE `username`=%s",[username])
get_password = cur.fetchone()
# Checks if identical.
if get_password[0] == hashed_password:
return jsonify("Authentication successful!"),201
else: return jsonify("Authentication failed!"),401
else: return 'Incorrect username. Please try again.'
The hashed_password does not return the same hashed password that is stored in the database.
And this is the code I used to insert the users.
username=data['username']
password=data['password']
salt=data['salt']
cur=mysql.connection.cursor()
# Generates the hashed password of the user.
hashed_password=(hashlib.sha256((str(password[0:2]) str(salt[0]) str(password[2:])).encode('utf-8')).hexdigest()).lower()
# Adds user to database.
add_user = cur.execute(" INSERT INTO `users` (`username`, `password`, `salt`) VALUES (%s, %s, %s);",[username,hashed_password, salt])
Does anyone see what is causing this?
CodePudding user response:
Looking at the insertion code, you seem to treat salt like the get_salt tuple, get first item, not knowing what it is originally, that might be the source of your issues as I would not expect the first salt you get to be in a tuple.
Here is a version that works, it's using SQLite rather than MySQL, but the changes are minimal besides formatting.
Also, I recommend you use hashlib.hash.update() rather than your large and complicated one step hashing. And by default hexdigest is lowercase, so no need to .lower() it.
# db setup
import hashlib
import sqlite3
con = sqlite3.connect(":memory:")
cur = con.cursor()
cur.execute("CREATE TABLE users (username TEXT, salt TEXT, password TEXT)")
in_username = "ljmc"
in_salt = "verysecuresalt"
in_password = "p4assW0rD1!"
h = hashlib.sha256()
h.update(str(in_password[:2]).encode("utf-8"))
h.update(str(in_salt).encode("utf-8")) # here salt[0] is just b"v" not the whole salt
h.update(str(in_password[2:]).encode("utf-8"))
in_hashed_password = h.hexdigest()
cur.execute(
"INSERT INTO users VALUES (?, ?, ?)",
(in_username, in_salt, in_hashed_password), # then store whole salt
)
con.commit()
# user check
username = in_username
password = good_password
# Checks if username exists.
check_username = cur.execute(
"SELECT COUNT(*) FROM users WHERE username = ?", [username]
).fetchone()
if check_username[0] > 0:
# Retrieves the correct salt of the user.
cur.execute("SELECT salt FROM users WHERE username=?", [username])
get_salt = cur.fetchone() # get the whole salt
# Generates the hashed password of the user.
hashed_password = (
hashlib.sha256(
(str(password[0:2]) str(get_salt[0]) str(password[2:])).encode(
"utf-8"
)
).hexdigest()
).lower() # use the whole salt
# Retrieves the hashed password of the user from the database.
cur.execute("SELECT password FROM users WHERE username=?", [username])
get_password = cur.fetchone()
# Checks if identical.
if get_password[0] == hashed_password:
print("Authentication successful!")
else:
print("Authentication failed!")