1

when I use basic authenticate of user login with name and plaintext password, user is logged in correctly.

Password is correctly hashed during registration. When I store hashed password and try to authenticate it, program gives error:

AttributeError: type object 'User' has no attribute 'query'

Could you please tell me, what is wrong? I suspect that checking function can't find hashed password from SQLAlchemy database. Thank you.

When I use :

query = s.query(User).filter(User.username.in_([POST_USERNAME]))

I get:

AttributeError: Neither 'InstrumentedAttribute' object nor 'Comparator' object associated with User.password has an attribute 'split'

   engine = create_engine('sqlite:///tutorial.db', echo=True)

   app = Flask(__name__)
   app.config.from_object(__name__)
   app.config['SECRET_KEY'] = 'XXXXX'

   def hash_password(password):
        salt = uuid.uuid4().hex
        return hashlib.sha256(salt.encode() + password.encode()).hexdigest() + ':' + salt

    def check_password(hashed_password, user_password):
        password, salt = hashed_password.split(':')
        return password == hashlib.sha256(salt.encode() + user_password.encode()).hexdigest()

   Base = declarative_base()
   class User(Base):

       __tablename__ = "users"

       id = Column(Integer, primary_key=True)
       username = Column(String(64))
       password = Column(String(120))
       email = Column(String(64))

       def __init__(self, username, password, email):
           self.username = username
           self.password = password
           self.email = email

       def check_password(hashed_password, user_password):
           password, salt = hashed_password.split(':')
           return password == hashlib.sha256(salt.encode() + user_password.encode()).hexdigest()

    Base.metadata.create_all(engine)

    @app.route("/")
     def index():
         return render_template('index.html')

    @app.route('/login', methods=['POST'])
     def do_admin_login():
       POST_USERNAME = str(request.form['username'])
       POST_PASSWORD = str(request.form['password'])

       Session = sessionmaker(bind=engine)
       s = Session()
       user = User.query.filter_by(username=POST_USERNAME).first()
       if check_password(User.password, POST_PASSWORD) == True:
            session['logged_in'] = True
       else:
           flash('wrong password!')
       return index()
Improve this question

1 Answer 1

Reset to default
1

Query like this. s is your session.

user = s.query(User).filter_by(username=POST_USERNAME).first()

Then your if statement for check password is wrong. You're trying to use the model class instead of the user instance you just got. Should be:

if check_password(user.password, POST_PASSWORD) == True:

also some other pointers: The module Flask-SQLAlchemy helps you use SQLAlchemy in Flask (defines your session globally). Also consider using bcrypt for passwords. It is MUCH safer than SHA.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Working, thank you so much, I spend hours trying to solve it. I will look in bcrypt, this is just for prototype and bcrypt was giving the same error, so it should be good now.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.