Merge pull request #2783 from kinow/fix-1824

Use bcrypt's checkpw instead of == in demo blog app
This commit is contained in:
Ben Darnell 2019-12-08 16:01:27 -05:00 committed by GitHub
commit 74a4ba0b3f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 4 deletions

View File

@ -266,14 +266,13 @@ class AuthLoginHandler(BaseHandler):
except NoResultError:
self.render("login.html", error="email not found")
return
hashed_password = await tornado.ioloop.IOLoop.current().run_in_executor(
password_equal = await tornado.ioloop.IOLoop.current().run_in_executor(
None,
bcrypt.hashpw,
bcrypt.checkpw,
tornado.escape.utf8(self.get_argument("password")),
tornado.escape.utf8(author.hashed_password),
)
hashed_password = tornado.escape.to_unicode(hashed_password)
if hashed_password == author.hashed_password:
if password_equal:
self.set_secure_cookie("blogdemo_user", str(author.id))
self.redirect(self.get_argument("next", "/"))
else: