Reputation: 936
does django encode passwords in the Database?
I created a user with a password password123 but in the database the password field look like this pbkdf2_sha256$260000$rJZWVrYXlokRG8fGMS1fek$S7Dm9soflUsy0Q74CJP8sB60tgfRWuRPdqj5XL0DBV0=
- the problem: is when I create new user via rest framework i got the poassword feidl look like
passsword123
- so how should i created new user in order to keep the django password encoding functionality
- also how to deactivate this password encoding functionality
Upvotes: 0
Views: 813
Answers (3)
Reputation: 493
Django uses encryption middlewares to encrypt passwords (since the database sees passwords as VarChar fields, so Django's model sees them as plain text unless it is told otherwise). If you want the Django User model to use encryption, you must call
user_obj.set_password(passwd_text)
With this line of code, you tell Django to run encryption algorithms. For example, in your case, you can first use the serializer's extra_kwargs to exclude passwords from database-readable data, then create the user.
class CreateUserSerializer(serializers.ModelSerializer):
class Meta:
model = User
fields = ['email', 'username', 'password']
extra_kwargs = {'password': {'write_only': True}}
def create(self, validated_data):
password = validated_data.pop("password")
user = User(**validated_data)
user.set_password(password)
user.save()
return user
if you want to read more on Django users and passwords read these docs user model doc and encryption types and password management doc
Upvotes: 2
Reputation: 2380
you need to override create method in User Create Serializer:
class UserCreateSerializer(serializers.ModelSerializer):
def create(self, validated_data):
user = User.objects.create_user(**validated_data)
return user
class Meta:
model = User
fields = "__all__" # or your specific fields
extra_kwargs = {
"password": {"write_only": True},
}
Now your user password will be saved as hashed password in database.
Upvotes: 2
Reputation: 3395
re. question 2.
Django does not store the password, only hashed value of the password, which it uses for comparison when the user logs in.
It is not possible to reverse engineer the password from this hash (well, mathematically it is possible, but you don't have the resources to run that process). Nor should it be.
If you wanted a password field that wasn't hashed, you would use just a string field. But... DON'T DO THIS! It is massively insecure.
There is no need for you to know the user's password.
As for question 1, I'm not sure why you're not seeing it hashed - you will need to post some code.
Upvotes: 1
Related Questions
- How to Hash Django user password in Django Rest Framework?
- Why is the password stored in a raw format to the database in Django?
- The password of User models is encrypted?
- Django rest framework not encrypting passwords, when being logged into the database
- Is it okay that database credentials are stored in plain text?
- how does django handle password in form
- What is the format in which Django passwords are stored in the database?
- What's the Django User password's encryption method?
- How do I encode the password for my user registration viewset in Django REST Framework?
- Django:How password store in django auth_user table