moved bcrypt_check_password to basic_auth/tools from auth/lib

mediagoblin/auth/__init__.py

@@ -16,8 +16,8 @@
 from mediagoblin.tools.pluginapi import hook_handle
 
 
-def check_login(user, login_form):
-    return hook_handle("auth_check_login", user, login_form)
+def check_login(user, password):
+    return hook_handle("auth_check_login", user, password)
 
 
 def get_user(*args):

mediagoblin/auth/lib.py

@@ -23,38 +23,6 @@ from mediagoblin.tools.template import render_template
 from mediagoblin import mg_globals
 
 
-def bcrypt_check_password(raw_pass, stored_hash, extra_salt=None):
-    """
-    Check to see if this password matches.
-
-    Args:
-    - raw_pass: user submitted password to check for authenticity.
-    - stored_hash: The hash of the raw password (and possibly extra
-      salt) to check against
-    - extra_salt: (optional) If this password is with stored with a
-      non-database extra salt (probably in the config file) for extra
-      security, factor this into the check.
-
-    Returns:
-      True or False depending on success.
-    """
-    if extra_salt:
-        raw_pass = u"%s:%s" % (extra_salt, raw_pass)
-
-    hashed_pass = bcrypt.hashpw(raw_pass.encode('utf-8'), stored_hash)
-
-    # Reduce risk of timing attacks by hashing again with a random
-    # number (thx to zooko on this advice, which I hopefully
-    # incorporated right.)
-    #
-    # See also:
-    rand_salt = bcrypt.gensalt(5)
-    randplus_stored_hash = bcrypt.hashpw(stored_hash, rand_salt)
-    randplus_hashed_pass = bcrypt.hashpw(hashed_pass, rand_salt)
-
-    return randplus_stored_hash == randplus_hashed_pass
-
-
 def bcrypt_gen_password_hash(raw_pass, extra_salt=None):
     """
     Generate a salt for this new password.

mediagoblin/auth/views.py

@@ -105,7 +105,7 @@ def login(request):
         if login_form.validate():
             user = auth.get_user(login_form)
 
-            if user and auth.check_login(user, login_form):
+            if user and auth.check_login(user, login_form.password.data):
                 # set up login in session
                 request.session['user_id'] = unicode(user.id)
                 request.session.save()

mediagoblin/db/mixin.py

@@ -34,7 +34,7 @@ import datetime
 from werkzeug.utils import cached_property
 
 from mediagoblin import mg_globals
-from mediagoblin.auth import lib as auth_lib
+from mediagoblin import auth
 from mediagoblin.media_types import get_media_managers, FileTypeNotSupported
 from mediagoblin.tools import common, licenses
 from mediagoblin.tools.text import cleaned_markdown_conversion
@@ -46,8 +46,7 @@ class UserMixin(object):
         """
         See if a user can login with this password
         """
-        return auth_lib.bcrypt_check_password(
-            password, self.pw_hash)
+        return auth.check_login(self, password)
 
     @property
     def bio_html(self):

mediagoblin/edit/views.py

@@ -23,6 +23,7 @@ from mediagoblin import messages
 from mediagoblin import mg_globals
 
 from mediagoblin.auth import lib as auth_lib
+from mediagoblin import auth
 from mediagoblin.edit import forms
 from mediagoblin.edit.lib import may_edit_media
 from mediagoblin.decorators import (require_active_login, active_user_from_url,

mediagoblin/plugins/basic_auth/__init__.py

@@ -17,6 +17,7 @@ import os
 import uuid
 
 import forms as auth_forms
+import tools as auth_tools
 from mediagoblin.auth import lib as auth_lib
 from mediagoblin.db.models import User
 from mediagoblin.tools.translate import pass_to_ugettext as _
@@ -28,8 +29,8 @@ def setup_plugin():
     config = pluginapi.get_config('mediagoblin.pluginapi.basic_auth')
 
 
-def check_login(user, login_form):
-    return user.check_login(login_form.password.data)
+def check_login(user, password):
+    return auth_tools.bcrypt_check_password(password, user.pw_hash)
 
 
 def get_user(login_form):