From 0e6ec1728c3040da24de58bf0bfd09ddec620939 Mon Sep 17 00:00:00 2001 From: "Bruno P. Kinoshita" Date: Fri, 29 Nov 2019 23:49:35 +1300 Subject: [PATCH] use bcrypt's checkpw instead of == --- demos/blog/blog.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/demos/blog/blog.py b/demos/blog/blog.py index 61771bf2..4f57d464 100755 --- a/demos/blog/blog.py +++ b/demos/blog/blog.py @@ -266,14 +266,13 @@ class AuthLoginHandler(BaseHandler): except NoResultError: self.render("login.html", error="email not found") return - hashed_password = await tornado.ioloop.IOLoop.current().run_in_executor( + password_equal = await tornado.ioloop.IOLoop.current().run_in_executor( None, - bcrypt.hashpw, + bcrypt.checkpw, tornado.escape.utf8(self.get_argument("password")), tornado.escape.utf8(author.hashed_password), ) - hashed_password = tornado.escape.to_unicode(hashed_password) - if hashed_password == author.hashed_password: + if password_equal: self.set_secure_cookie("blogdemo_user", str(author.id)) self.redirect(self.get_argument("next", "/")) else: