Reputation: 3433
How do I get the password in django?
I have a python library which I wrote for something else. So I import that to use in Django, problem I am facing is how to get the password.
mycustom_lib_function(username, password)
username I can pass in through request.user
But, I am not sure how to get the password. Can someone help me? Thanks.
Upvotes: 5
Views: 44280
Answers (4)
Reputation: 155
You can't get the password of the user but you can check whether the given value is correct password or not.
from django.contrib.auth.hashers import check_password
user = User.objects.get(id = user_id) #get the correct user using mail or id
if check_password('my_old_password',user.password):
#update the password here
Upvotes: 1
Reputation: 36290
You technically can store the password as plain-text but its not right from a security stand poit, see this answer, it is highly not recommended! django.contrib.auth.hashers has some good tools to use for passwords, see the official Django docs.
If you have an idea what the plain-text password could be, i.e. I have a globally stored default password in one of my applications that is stored in plain-text, as in the example below. To check if a user has their password set to the default one, you can use the check_password function that will return True if the plain-text matches the encoded password:
from django.contrib.auth.hashers import check_password
from django.contrib.auth.models import User
u = User.objects.all().first()
if check_password('the default password', u.password):
print 'user password matches default password'
else:
print 'user a set custom password'
Also see is_password_usable, and make_password functions.
Upvotes: 6
Reputation: 17731
Your function mycustom_lib_function should not be using a plaintext password. After a user authenticates with your application, you have a User object (from django.contrib.auth.models) that contains a hashed password:
>>> user.username
u'myusername'
>>> user.password
u'sha1$98ffc$b5fd085b8bc1c05fd241dfc97230631926141fe7'
The actual password typed into your form is not stored in plaintext, as standard web security advises you not to store plaintext values of passwords after authentication.
Note that you could check the above hash by performing:
>>> from hashlib import sha1
>>> password = 'weak_password'
>>> _, salt, hashpw = user.password.split('$')
>>> sha1(salt+password).hexdigest() == hashpw
True
Now if your application wraps into another application that you do not control that needs a password to do certain actions, you can possibly consider storing their password in plaintext (or slightly better encrypting it), but django.contrib.auth will not do this for you. It would be better if you set up an OAuth type credential system, which does exactly this functionality without necessitating users reveal their password to the intermediate site.
If its an application that you do control, I would drop the requirement for password to be passed to it.
Upvotes: 5
Reputation: 798636
The password in User is hashed, and so you cannot get it. Ask the user.
Upvotes: 17
Related Questions
- How to update password in django?
- how to retrieve password in django
- How to get password from HTML form to my views in Django
- how does django handle password in form
- Django how to get password after registration form is submitted?
- how to get the password from the database?
- how to check the password in django1.6?
- How to find the password stored in django.contrib.auth.models.User
- How can I get password text box for django?
- Exposing passwords in django