Only use password salt if using hmac

2026-06-27 16:10:11 +08:00 · 2012-08-20 18:17:29 -04:00
parent 332575e53b
commit 101fa42e55
2 changed files with 14 additions and 6 deletions
@@ -85,19 +85,27 @@ def get_hmac(msg, salt=None, digestmod=None):
    return base64.b64encode(hmac.new(salt, msg, digestmod).digest())


-def verify_password(password, password_hash, salt=None, use_hmac=None):
-    salt = salt or _security.password_salt
+def verify_password(password, password_hash, use_hmac=None):
    if use_hmac is None:
        use_hmac = _security.password_hmac
-    hmac_value = get_hmac(password, salt) if use_hmac else password
+
+    if use_hmac:
+        hmac_value = get_hmac(password, _security.password_hmac_salt)
+    else:
+        hmac_value = password
+
    return _pwd_context.verify(hmac_value, password_hash)


 def encrypt_password(password, salt=None, use_hmac=None):
-    salt = salt or _security.password_salt
    if use_hmac is None:
        use_hmac = _security.password_hmac
-    hmac_value = get_hmac(password, salt) if use_hmac else password
+
+    if use_hmac:
+        hmac_value = get_hmac(password, _security.password_hmac_salt)
+    else:
+        hmac_value = password
+
    return _pwd_context.encrypt(hmac_value)


@@ -203,7 +203,7 @@ class ConfiguredSecurityTests(SecurityTest):

    AUTH_CONFIG = {
        'SECURITY_PASSWORD_HASH': 'bcrypt',
-        'SECURITY_PASSWORD_SALT': 'so-salty',
+        'SECURITY_PASSWORD_HMAC_SALT': 'so-salty',
        'SECURITY_PASSWORD_HMAC': True,
        'SECURITY_REGISTERABLE': True,
        'SECURITY_AUTH_URL': '/custom_auth',