Reputation: 3657
Creating a password user registration using make_password django
I'm trying to create a registration form where a user enter's in a username/password combination.
I want the password to use MyPBKDF2 for password hashing.
I have hashers.py
from django.contrib.auth.hashers import PBKDF2PasswordHasher
class MyPBKDF2PasswordHasher(PBKDF2PasswordHasher):
"""
A subclass of PBKDF2PasswordHasher that uses 100 times more iterations.
"""
iterations = PBKDF2PasswordHasher.iterations * 100
settings.py
PASSWORD_HASHERS = (
'MyApp.hashers.MyPBKDF2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
'django.contrib.auth.hashers.BCryptPasswordHasher',
'django.contrib.auth.hashers.SHA1PasswordHasher',
'django.contrib.auth.hashers.MD5PasswordHasher',
'django.contrib.auth.hashers.CryptPasswordHasher',
)
views.py
def Registration(request):
RegForm = RegistrationForm(request.POST or None)
if request.method == 'POST':
if RegForm.is_valid():
clearUserName = RegForm.cleaned_data['userNm'] #set clean username
hashpass = make_password(RegForm.cleaned_data['userPass'], None, 'pbkdf2_sha256')
RegForm.save()
try:
return HttpResponseRedirect('/Newuser/?userNm=' + clearUserName)
except:
raise ValidationError(('Invalid request'), code='300') ## [ TODO ]: add a custom error page here.
else:
RegForm = RegistrationForm()
return render(request, 'Myapp/reuse/register.html', {
'RegForm': RegForm
})
forms.py c
lass RegistrationForm(ModelForm):
userPass = forms.CharField(widget=forms.PasswordInput, label='Password')
class Meta:
model = Client
fields = ['userNm','userPass']
def clean_RegForm(self):
cleanedUserName = self.cleaned_data.get('userNm')
if Client.objects.filter(userNm=cleanedUserName).exists():
errorMsg = u"Error occurred."
raise ValidationError(errorMsg)
else:
return cleanedUserName
I'm getting the password submitting, but in plain text - which is no good.
What am I doing wrong here?
Upvotes: 0
Views: 4933
Answers (1)
Reputation: 15484
Well.. you're creating hashed password, but not saving it anywhere. And because you're saving form (which inherits from ModelForm), the password fields is saved straight from the password form field.
You can override save method and set hashpass as password. But I think the best practice here is to use UserCreationForm which handles password hashing for you (it will use the first password hasher from your list).
There are some examples here on SO, showing how to customize UserCreationForm, so search around.
Pseudo-code:
forms.py
from django.contrib.auth.forms import UserCreationForm
class RegisterForm(UserCreationForm):
def __init__(self, *args, **kwargs):
super(RegisterForm, self).__init__(*args, **kwargs)
# do not require password confirmation
del self.fields['password2']
views.py
def home(request):
form = RegisterForm()
if request.method == "POST":
form = RegisterForm(request.POST)
if form.is_valid():
user = form.save()
# redirect!
return render(request, 'home.html', {
'form': form
})
Upvotes: 2
Related Questions
- Custom User class, password isn't hashed when creating user from the form
- Django set_password(password) doesn't hash the password
- Django password not hashed when creating new accounts
- django how to create hashed password using create_user() method
- Generate Django Password
- Django password hasher with username in hash
- How can I change password into hash?
- Django 1.9 Bulk Create New Users Not hashing Passwords Correctly
- django hash password when create user from shell
- How to use password hasher snippet in Django?