diff --git a/flask_security/decorators.py b/flask_security/decorators.py index e7ddad5..5787679 100644 --- a/flask_security/decorators.py +++ b/flask_security/decorators.py @@ -67,7 +67,7 @@ def _check_http_auth(): auth = request.authorization or dict(username=None, password=None) user = _security.datastore.find_user(email=auth.username) - if user and utils.verify_password(auth.password, user): + if user and utils.verify_and_update_password(auth.password, user): _security.datastore.commit() app = current_app._get_current_object() identity_changed.send(app, identity=Identity(user.id)) diff --git a/flask_security/forms.py b/flask_security/forms.py index 12bf3c9..3539f63 100644 --- a/flask_security/forms.py +++ b/flask_security/forms.py @@ -16,7 +16,7 @@ from flask.ext.wtf import Form as BaseForm, TextField, PasswordField, \ from werkzeug.local import LocalProxy from .confirmable import requires_confirmation -from .utils import verify_password, get_message +from .utils import verify_and_update_password, get_message # Convenient reference _datastore = LocalProxy(lambda: current_app.extensions['security'].datastore) @@ -162,7 +162,7 @@ class LoginForm(Form, NextFormMixin): if self.user is None: self.email.errors.append('Specified user does not exist') return False - if not verify_password(self.password.data, self.user): + if not verify_and_update_password(self.password.data, self.user): self.password.errors.append('Invalid password') return False if requires_confirmation(self.user): diff --git a/flask_security/utils.py b/flask_security/utils.py index 40f427a..5531ec0 100644 --- a/flask_security/utils.py +++ b/flask_security/utils.py @@ -82,12 +82,16 @@ def get_hmac(password): return base64.b64encode(h.digest()) -def verify_password(password, user): - verify, new_password = _pwd_context.verify_and_update(get_hmac(password), user.password) - if verify and new_password: +def verify_password(password, password_hash): + return _pwd_context.verify(get_hmac(password), password_hash) + + +def verify_and_update_password(password, user): + verified, new_password = _pwd_context.verify_and_update(get_hmac(password), user.password) + if verified and new_password: user.password = new_password _datastore.put(user) - return verify + return verified def encrypt_password(password):