Closed HomiGrotas closed 2 years ago
miguelgrinberg
commented
2 years ago You don't need any support from this library to do that. Just store the hashed password in your database, and then in your verify callback use your password hashing comparison function to check if the password is correct.
HomiGrotas
commented
2 years ago But HTTPDigestAuth doesn't use verify_password but get_password... Maybe I missed something? As I understood, the user response is sent hashed to the server, isn't it?
miguelgrinberg
commented
2 years ago I don't use digest auth, it's been many years since this code was written and you are correct, it never got a "verify" style callback.
The hashing option for digest is to store the "HA1" value of the password instead of the password itself (when you set the use_ha1_pw=True option. But this is an MD5 hash, so it is not a strong hash.
Another option you may consider is to encrypt your password in your database instead of hashing it.
HomiGrotas
commented
2 years ago Ok, thanks a lot!
Hi, is there an option in the HTTPDigestAuth model to NOT save passwords in plain text? I couldn't find a function that I could implement in order to compare the given password hash to the password in DB...