流程简单梳理
- 入口
from django.contrib.auth import authenticate
user = authenticate(username=cd['username'], password=cd['password'])
# If the given credentials are valid, return a User object.
- 获取全部用于认证的backend
settings.AUTHENTICATION_BACKENDS
Default: ['django.contrib.auth.backends.ModelBackend']
# https://docs.djangoproject.com/en/1.11/ref/settings/#auth
- 遍历全部backend并执行认证操作
user = _authenticate_with_backend(backend, backend_path, request, credentials)
# credentials: { 'username':'xxx', 'password':'xxx' }
默认只有ModelBackend这个backend,认证是通过调用这个类里的authenticate函数
- 通过username查找出user对象
- user.check_password(password)
# django.contrib.auth.base_user.AbstractBaseUser
- AbstractBaseUser.check_password(self, raw_password)
- django.contrib.auth.hashers.check_password(raw_password, self.password, setter)
- 获取settings.PASSWORD_HASHERS里的第一个hash算法
默认是 django.contrib.auth.hashers.PBKDF2PasswordHasher
- 根据self.password来找到当前用户的密码采用的hash算法
- 判断用户密码采用的hash算法和当前默认的第一hash算法是否相同 (暂且只考虑相同的情况)
- 把用户密码拆分成:algorithm, iterations, salt, hash,用iterations和hash算法的iterations做对比是否一致
- 验证:hasher.verify(password, encoded)
- 把用户输入的密码进行加密:先用hashlib.sha256,然后在用base64.b64encode最终计算出一个hash值
- 然后把 self.algorithm, iterations, salt, hash 组合成一个字符串,记作encoded_2
- 把用户真实密码和encoded_2作比较,看看是否相同
- user_can_authenticate(user)
- 判断当前用户的 is_active
from django.contrib.auth import authenticate
# 默认的第一个加密算法
class PBKDF2PasswordHasher(BasePasswordHasher):
"""
Secure password hashing using the PBKDF2 algorithm (recommended)
Configured to use PBKDF2 + HMAC + SHA256.
The result is a 64 byte binary string. Iterations may be changed
safely but you must rename the algorithm if you change SHA256.
"""
algorithm = "pbkdf2_sha256"
iterations = 36000
digest = hashlib.sha256
def encode(self, password, salt, iterations=None):
assert password is not None
assert salt and '$' not in salt
if not iterations:
iterations = self.iterations
hash = pbkdf2(password, salt, iterations, digest=self.digest)
hash = base64.b64encode(hash).decode('ascii').strip()
return "%s$%d$%s$%s" % (self.algorithm, iterations, salt, hash)
def verify(self, password, encoded):
algorithm, iterations, salt, hash = encoded.split('$', 3)
assert algorithm == self.algorithm
encoded_2 = self.encode(password, salt, int(iterations))
return constant_time_compare(encoded, encoded_2)
def safe_summary(self, encoded):
algorithm, iterations, salt, hash = encoded.split('$', 3)
assert algorithm == self.algorithm
return OrderedDict([
(_('algorithm'), algorithm),
(_('iterations'), iterations),
(_('salt'), mask_hash(salt)),
(_('hash'), mask_hash(hash)),
])
def must_update(self, encoded):
algorithm, iterations, salt, hash = encoded.split('$', 3)
return int(iterations) != self.iterations
def harden_runtime(self, password, encoded):
algorithm, iterations, salt, hash = encoded.split('$', 3)
extra_iterations = self.iterations - int(iterations)
if extra_iterations > 0:
self.encode(password, salt, extra_iterations)
from django.contrib.auth.hashers import make_password
def make_password(password, salt=None, hasher='default'):
"""
Turn a plain-text password into a hash for database storage
Same as encode() but generates a new random salt.
If password is None then a concatenation of
UNUSABLE_PASSWORD_PREFIX and a random string will be returned
which disallows logins. Additional random string reduces chances
of gaining access to staff or superuser accounts.
See ticket #20079 for more info.
"""
if password is None:
return UNUSABLE_PASSWORD_PREFIX + get_random_string(UNUSABLE_PASSWORD_SUFFIX_LENGTH)
hasher = get_hasher(hasher)
if not salt:
salt = hasher.salt()
return hasher.encode(password, salt)
from django.contrib.auth.hashers import check_password
def check_password(password, encoded, setter=None, preferred='default'):
"""
Returns a boolean of whether the raw password matches the three
part encoded digest.
If setter is specified, it'll be called when you need to
regenerate the password.
"""
if password is None or not is_password_usable(encoded):
return False
preferred = get_hasher(preferred)
hasher = identify_hasher(encoded)
hasher_changed = hasher.algorithm != preferred.algorithm
must_update = hasher_changed or preferred.must_update(encoded)
is_correct = hasher.verify(password, encoded)
# If the hasher didn't change (we don't protect against enumeration if it
# does) and the password should get updated, try to close the timing gap
# between the work factor of the current encoded password and the default
# work factor.
if not is_correct and not hasher_changed and must_update:
hasher.harden_runtime(password, encoded)
if setter and is_correct and must_update:
setter(password)
return is_correct
authenticate在处理用户登录验证时候的过程
import os
os.environ.setdefault('DJANGO_SETTINGS_MODULE','django_auth.settings')
from django.contrib.auth.hashers import (
check_password, is_password_usable, make_password,
)
if __name__ == '__main__':
raw_password = 'Qr3!JQc9bU@hrs2qjdqaE'
password = make_password(raw_password)
print(password)
from django.conf import settings
# print(settings.AUTHENTICATION_BACKENDS) # django.contrib.auth.backends.ModelBackend
from django.utils.module_loading import import_string
# for backend_path in settings.AUTHENTICATION_BACKENDS:
# backend = import_string(backend_path)()
# print(backend_path,backend)
hashers_lst = settings.PASSWORD_HASHERS
'''
[
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
'django.contrib.auth.hashers.Argon2PasswordHasher',
'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
'django.contrib.auth.hashers.BCryptPasswordHasher']
'''
preferred = import_string(hashers_lst[0])()
# <django.contrib.auth.hashers.PBKDF2PasswordHasher object at 0x0000000000B3BAC8>
print(preferred.algorithm)
from django.contrib.auth import hashers
encoded = 'pbkdf2_sha256$36000$0EDgzLtVVT7o$nWQ4t3+iWKzv9p6MUfNIQPazaasadhYUtKt2ubLRCTA='
hasher = hashers.identify_hasher(encoded)
# <django.contrib.auth.hashers.PBKDF2PasswordHasher object at 0x0000000000BB8978>
print(hasher.algorithm) # pbkdf2_sha256
hasher_changed = hasher.algorithm != preferred.algorithm
print(hasher_changed) # False
is_correct = hasher.verify(raw_password, encoded)
print(is_correct)
algorithm, iterations, salt, hash = encoded.split('$', 3)
print(algorithm, iterations, salt, hash)
encoded2 = hasher.encode(raw_password, salt, int(iterations))
print(encoded2)
看源码,打印输出,是接近真相最便捷的途径。