流程简单梳理

- 入口

from django.contrib.auth import authenticate

user = authenticate(username=cd['username'], password=cd['password'])

# If the given credentials are valid, return a User object.

	- 获取全部用于认证的backend

	settings.AUTHENTICATION_BACKENDS

	Default: ['django.contrib.auth.backends.ModelBackend']

	# https://docs.djangoproject.com/en/1.11/ref/settings/#auth

	- 遍历全部backend并执行认证操作

	user = _authenticate_with_backend(backend, backend_path, request, credentials)

	# credentials: { 'username':'xxx', 'password':'xxx' }

	默认只有ModelBackend这个backend,认证是通过调用这个类里的authenticate函数

		- 通过username查找出user对象

		- user.check_password(password)

		    # django.contrib.auth.base_user.AbstractBaseUser

			- AbstractBaseUser.check_password(self, raw_password)

				- django.contrib.auth.hashers.check_password(raw_password, self.password, setter)

					- 获取settings.PASSWORD_HASHERS里的第一个hash算法

					  默认是 django.contrib.auth.hashers.PBKDF2PasswordHasher

					- 根据self.password来找到当前用户的密码采用的hash算法

					- 判断用户密码采用的hash算法和当前默认的第一hash算法是否相同 (暂且只考虑相同的情况)

					- 把用户密码拆分成:algorithm, iterations, salt, hash,用iterations和hash算法的iterations做对比是否一致

					- 验证:hasher.verify(password, encoded)

						- 把用户输入的密码进行加密:先用hashlib.sha256,然后在用base64.b64encode最终计算出一个hash值

						- 然后把 self.algorithm, iterations, salt, hash 组合成一个字符串,记作encoded_2

						- 把用户真实密码和encoded_2作比较,看看是否相同

		- user_can_authenticate(user)

			- 判断当前用户的 is_active

from django.contrib.auth import authenticate

# 默认的第一个加密算法

class PBKDF2PasswordHasher(BasePasswordHasher):

    """

    Secure password hashing using the PBKDF2 algorithm (recommended)

    Configured to use PBKDF2 + HMAC + SHA256.

    The result is a 64 byte binary string.  Iterations may be changed

    safely but you must rename the algorithm if you change SHA256.

    """

    algorithm = "pbkdf2_sha256"

    iterations = 36000

    digest = hashlib.sha256

    def encode(self, password, salt, iterations=None):

        assert password is not None

        assert salt and '$' not in salt

        if not iterations:

            iterations = self.iterations

        hash = pbkdf2(password, salt, iterations, digest=self.digest)

        hash = base64.b64encode(hash).decode('ascii').strip()

        return "%s$%d$%s$%s" % (self.algorithm, iterations, salt, hash)

    def verify(self, password, encoded):

        algorithm, iterations, salt, hash = encoded.split('$', 3)

        assert algorithm == self.algorithm

        encoded_2 = self.encode(password, salt, int(iterations))

        return constant_time_compare(encoded, encoded_2)

    def safe_summary(self, encoded):

        algorithm, iterations, salt, hash = encoded.split('$', 3)

        assert algorithm == self.algorithm

        return OrderedDict([

            (_('algorithm'), algorithm),

            (_('iterations'), iterations),

            (_('salt'), mask_hash(salt)),

            (_('hash'), mask_hash(hash)),

        ])

    def must_update(self, encoded):

        algorithm, iterations, salt, hash = encoded.split('$', 3)

        return int(iterations) != self.iterations

    def harden_runtime(self, password, encoded):

        algorithm, iterations, salt, hash = encoded.split('$', 3)

        extra_iterations = self.iterations - int(iterations)

        if extra_iterations > 0:

            self.encode(password, salt, extra_iterations)

from django.contrib.auth.hashers import make_password

def make_password(password, salt=None, hasher='default'):

    """

    Turn a plain-text password into a hash for database storage

    Same as encode() but generates a new random salt.

    If password is None then a concatenation of

    UNUSABLE_PASSWORD_PREFIX and a random string will be returned

    which disallows logins. Additional random string reduces chances

    of gaining access to staff or superuser accounts.

    See ticket #20079 for more info.

    """

    if password is None:

        return UNUSABLE_PASSWORD_PREFIX + get_random_string(UNUSABLE_PASSWORD_SUFFIX_LENGTH)

    hasher = get_hasher(hasher)

    if not salt:

        salt = hasher.salt()

    return hasher.encode(password, salt)

from django.contrib.auth.hashers import check_password

def check_password(password, encoded, setter=None, preferred='default'):

    """

    Returns a boolean of whether the raw password matches the three

    part encoded digest.

    If setter is specified, it'll be called when you need to

    regenerate the password.

    """

    if password is None or not is_password_usable(encoded):

        return False

    preferred = get_hasher(preferred)

    hasher = identify_hasher(encoded)

    hasher_changed = hasher.algorithm != preferred.algorithm

    must_update = hasher_changed or preferred.must_update(encoded)

    is_correct = hasher.verify(password, encoded)

    # If the hasher didn't change (we don't protect against enumeration if it

    # does) and the password should get updated, try to close the timing gap

    # between the work factor of the current encoded password and the default

    # work factor.

    if not is_correct and not hasher_changed and must_update:

        hasher.harden_runtime(password, encoded)

    if setter and is_correct and must_update:

        setter(password)

    return is_correct

authenticate在处理用户登录验证时候的过程

import os

os.environ.setdefault('DJANGO_SETTINGS_MODULE','django_auth.settings')

from django.contrib.auth.hashers import (

    check_password, is_password_usable, make_password,

)

if __name__ == '__main__':

    raw_password = 'Qr3!JQc9bU@hrs2qjdqaE'

    password = make_password(raw_password)

    print(password)

    from django.conf import settings

    # print(settings.AUTHENTICATION_BACKENDS) # django.contrib.auth.backends.ModelBackend

    from django.utils.module_loading import import_string

    # for backend_path in settings.AUTHENTICATION_BACKENDS:

    #     backend = import_string(backend_path)()

    #     print(backend_path,backend)

    hashers_lst = settings.PASSWORD_HASHERS

    '''

    [

        'django.contrib.auth.hashers.PBKDF2PasswordHasher',

        'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',

        'django.contrib.auth.hashers.Argon2PasswordHasher',

        'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',

        'django.contrib.auth.hashers.BCryptPasswordHasher']

    '''

    preferred = import_string(hashers_lst[0])()

    # <django.contrib.auth.hashers.PBKDF2PasswordHasher object at 0x0000000000B3BAC8>

    print(preferred.algorithm)

    from django.contrib.auth import hashers

    encoded = 'pbkdf2_sha256$36000$0EDgzLtVVT7o$nWQ4t3+iWKzv9p6MUfNIQPazaasadhYUtKt2ubLRCTA='

    hasher = hashers.identify_hasher(encoded)

    # <django.contrib.auth.hashers.PBKDF2PasswordHasher object at 0x0000000000BB8978>

    print(hasher.algorithm)  # pbkdf2_sha256

    hasher_changed = hasher.algorithm != preferred.algorithm

    print(hasher_changed) # False

    is_correct = hasher.verify(raw_password, encoded)

    print(is_correct)

    algorithm, iterations, salt, hash = encoded.split('$', 3)

    print(algorithm, iterations, salt, hash)

    encoded2 = hasher.encode(raw_password, salt, int(iterations))

    print(encoded2)

看源码,打印输出,是接近真相最便捷的途径。  

authenticate验证的流程的更多相关文章

  1. https申请证书并部署到网站流程,浏览器验证证书流程

    https申请证书并部署到网站流程: 1.生成一对秘钥,设公钥为pubk1,私钥为prik12.假设发布的网站地址为https://www.example.com3.生成一个CSR文件(Cerific ...

  2. Token验证的流程及如何准确的判断一个数据的类型

    Token验证的流程: 1,客户端使用用户名跟密码请求登录:2,服务端收到请求,去验证用户名与密码:3,验证成功后,服务端会签发一个 Token,再把这个 Token 发送给客户端:4,客户端收到 T ...

  3. authenticate的执行流程与重写

    流程 1.authenticate调用的是_get_backends函数 def authenticate(request=None, **credentials): for backend, bac ...

  4. springcloud +spring security多种验证方式之第三方token生成自己的token通过校验和自己的表单验证大体流程

    步骤: 1.继承 WebSecurityConfigurerAdapter.class,其中使用两个过滤器,一个spring scurity自带的UsernamePasswordAuthenticat ...

  5. Shiro -- (二) 身份验证基本流程

    简介: 在 shiro 中,用户需要提供 principals (身份)和 credentials(证明)给 shiro,从而应用能验证用户身份: principals:身份,即主体的标识属性,可以是 ...

  6. Apache shiro之身份验证(登陆)流程

    从张开涛blog学习后整理:http://jinnianshilongnian.iteye.com/blog/2018398 上图中的类和接口都可以继承和实现来个性化自己的实现. 其中重点看一下Mod ...

  7. SharePoint2010 Form验证配置流程

    1.修改管理中心的Web.config文件,位置:C:\inetpub\wwwroot\wss\VirtualDirectories\42903 2.修改应用程序的Web.config文件,位置:C: ...

  8. 【ASP.NET】编程点滴 :ASP.NET身份验证

    ASP.NET实际开发中身份验证 是一个不可回避的问题.在相当一段长的时间内,由于不求甚解,我对这个话题似懂非懂.今天就对它做个简单的小结. Authentication and Authorizat ...

  9. ASP.NET Forms身份验证概述

    表单身份验证允许您使用自己的代码对用户进行身份验证,然后在cookie或页面URL中维护身份验证令牌.表单身份验证通过FormsAuthenticationModule类参与ASP.NET页面生命周期 ...

随机推荐

  1. 牛客网noip集训4

    T1 (A)[https://www.nowcoder.com/acm/contest/175/A] 给出 l, r, k,请从小到大输出所有在 [l, r] 范围内,能表示为 k 的非负整数次方的所 ...

  2. ViewHolder模式的简洁写法

    大家通常怎么写ViewHolder呢? ViewHolder holder = null; if(convertView == null){ convertView = mInflater.infla ...

  3. H5左侧滑删除简单实现

    简单的左滑删除 实现功能 在一个列表的一条中,往左滑动时,右边出现删除按钮,点击可删除这一条 实现办法 列表中一项为父div,其中包含内容div和删除按钮span 父div相对定位,设置宽度.内容di ...

  4. [Vani有约会]雨天的尾巴(树上差分+线段树合并)

    首先村落里的一共有n座房屋,并形成一个树状结构.然后救济粮分m次发放,每次选择两个房屋(x,y),然后对于x到y的路径上(含x和y)每座房子里发放一袋z类型的救济粮. 然后深绘里想知道,当所有的救济粮 ...

  5. SHOI2008仙人掌图(tarjan+dp)

    Solution 好题啊没的说. 本题需要求出仙人掌的直径,但仙人掌是一个带有简单环的一张图无法直接用树形dp求解,但它有一个好东西就是没有类似环套环的东西,所以我们在处理时就方便了一些. 思路:ta ...

  6. 移动端利用-webkit-box水平垂直居中(旧弹性盒)

    新弹性盒水平垂直居中参考:http://www.cnblogs.com/ooo0/p/7562884.html 新旧弹性盒样式参考:http://www.cnblogs.com/ooo0/p/7562 ...

  7. Electron入门笔记(一)-自己快速搭建一个app demo

    Electron学习-快速搭建app demo 作者: 狐狸家的鱼 Github: 八至 一.安装Node 1.从node官网下载 ,最好安装.msi后缀名的文件,新手可以查看安装教程进行安装. 2. ...

  8. WIndows下将文件夹映射为磁盘

    subst 盘符 文件夹路径 [/d] 映射 将e:\work映射为z:盘,使用subst z: e:\work 取消映射 取消z盘映射,使用subst z: /d 参考资料:http://mp.we ...

  9. QTREE5 - Query on a tree V——LCT

    QTREE5 - Query on a tree V 动态点分治和动态边分治用Qtree4的做法即可. LCT: 换根后,求子树最浅的白点深度. 但是也可以不换根.类似平常换根的往上g,往下f的拼凑 ...

  10. 跟我一起使用android Studio打包react-native项目的APK

    使用的是react-native的hello-world项目 第一步:创建项目 npm install -g yarn react-native-cli react-native init Aweso ...