Using PassLib to Verify Hash from Flask User Passwords

Question

I'm currently trying to migrate my Flask Users over to a Django Backend.

However, when I'm using passlib to verify the hash, I can't figure out why it won't verify.

Our flask app settings

SECURITY_PASSWORD_HASH = "pbkdf2_sha512"
SECURITY_PASSWORD_SALT = "stackoverflow" # this is an example

An example of a hash I pulled from a database

flask_hash = "$pbkdf2sha512$12000$ZQyhNEbIOSfk/J/T2vs/Bw$j.yxtixV.DqAcpsY9XTnJZZb3lCkR2fMWmV329Uc7Y/vz5Z0yMshEkYlUsE2Y9xm8TICwYkG55RgAplzZzLl7g"

So I created a custom pbkdf2_sha512 with the the rounds and salt from passlib.hash import pbkdf2_sha512

rounds = 12000
salt = "stackoverflow".encode() # assume I swapped this out with the right salt
custom_pbkdf2 = pbkdf2_sha512.using(rounds=rounds, salt=salt)

verify_result = custom_pbkdf2.verify(hash=flask_hash, secret=password)
print (verify_result) # false

But if I create a new hash ... it does work

test_hash = custom_pbkdf2.hash('testing-if-this-works')
test_hash_confirm = custom_pbkdf2.verify('testing-if-this-works', hash=test_hash)

Is there something I'm missing? Thank you so much for any help here ... I know the password to this -- it's a dummy account I used for testing.

Answer 1

I was struck in exactly the same situation, luckily found this reddit thread, which had the explanation.

Basically, what you have to do verify the user is:

from flask_security.utils import verify_password
verify_password(<plain text password>, <password hash>)

More details here