Previous topic

Using Identity

Next topic

Identity Recipes

Using Identity with Encrypted PasswordsΒΆ

When a new project is started via tg-admin quickstart you have the choice to activate identity management for your application. One less known functionality is that you can automatically encrypt passwords in the database to avoid storing clear-text password inside your back-end.

This functionality is a must have for any real life application that goes beyond the demo application on a laptop machine.

The first thing to do is to edit the app.cfg file that is present in your application and set the line about the saprovider:

identity.soprovider.encryption_algorithm = 'md5'

or:

identity.soprovider.encryption_algorithm = 'sha1'

the choice between md5 or sha1 is left to the reader.

If you’re using SQLAlchemy instead of SQLObject, then you need to make these setting for the saprovider instead of the soprovider. e.g.:

identity.saprovider.encryption_algorithm = 'sha1'

Once this is done you will not be able to log into your existing application any more because all your clear text password are now useless.

To create a new user with encrypted password from the command line you should launch the shell:

tg-admin shell

Considering that your application package is named myapp, at the shell type the following sequence to create a new user with encrypted password:

>>> from myapp import model
>>> import turbogears as tg
>>> u = model.User() # instantiate a new user
>>> u.user_name = 'testuser'
>>> u.email_address = 'test@test'
>>> u.display_name = 'test user with encrypted passwd'
>>> u.password = 'testpass'
>>> session.flush()

Since TurboGears 1.0.3, the encryption is taken care of automatically by TurboGears when you set the password attribute. If you are using a version lesser than 1.0.3, you will need to use the manual encryption method: tg.indentity.encrypt_password(). This means the line for setting the password would look like this:

>>> u.password = tg.identity.encrypt_password('testpass')

At this point you have a new user that has an encrypted password in the database:

>>> u.password
'179ad45c6ce2cb97cf1029e212046e81'

For people using SQLObject you should create your user without any call to encrypt. Everything will work as is without interaction on your part.

Since TurboGears 1.0.3 you can also provide your own encryption algorithm.

Fir example, if you want to use an encryption funtion encrypt_password defined in your model file, you would set in app.cfg:

identity.soprovider.encryption_algorithm = 'custom'
identity.custom_encryption = '${package}.model.encrypt_password'

This also works with the saprovider. In this case, you would set:

identity.saprovider.encryption_algorithm = 'custom'