How to use function to verify password inside sqlalchemy query?

Question

How to use function to verify password inside sqlalchemy query ? In

class PersonModel(Base):
    __tablename__ = 'persons'
    username = Column(String(30), nullable=False)
    email = Column(String(75), nullable=False)
    password = Column(String(128), nullable=False)

I store password using sha256_crypt.encrypt("password_string") from http://pythonhosted.org/passlib/ and I can verify with sha256_crypt.verify(password_to_check_against, hash)

( tried like

person = session.query(PersonModel).filter(and_(PersonModel.username.like(username), PersonModel.password.like(sha256_crypt.encrypt(password_string)))).first()

but it doesn't work => sha256_crypt.encrypt(password_string) generates different value than in db for same password and I cannot use == operator only sha256_crypt.verify from site) How to inject this in my query ?

Answer 1

You need to use sha256_crypt.verify(), and you can't do it in an AND clause because it needs password hash string for verification.

If you look at an example of the output for this function, and the documentation for "modular crypt format":

$5$rounds=80000$zvpXD3gCkrt7tw.1$QqeTSolNHEfgryc5oMgiq1o8qCEAcmye3FoMSuvgToC

• The 5 at the beginning means sha256_crypt.
• rounds=80000 is how many times it was hashed.
• The next section between the $'s is the salt.
• The last section is actually the digest output

So it actually needs all of those first three parts, plus the plain-text password to hash it the same way.

To do this, first get your user's information:

person = session.query(PersonModel).filter(PersonModel.username.like(username)).first()

Then do the verification:

is_authenticated = sha256_crypt.verify(password_string, person.password)