6

I am working a project which is like CMS (Content Management System) for a website. I am developing this system with django python. But I am new to django python.

I have my own User model (not django user model) that contains some fields like username, email, password etc. and I create new user from my own admin panel.

How can I compare encrypted password with user's password that post on login page.

For example first time I create user, the password for 123 saved on db like pbkdf2_sha24123$000asd$... After that I am trying to login with password 123 but I get error that the passwords are not equals.

from django.contrib.auth.hashers import make_password
from account.models import myUsers

password = make_password(request.POST.get('password'))
email = request.POST.get('email')

if myUsers.password == password and myUsers.email == email:
     #make login and redirect to panel
else:
     #show error message

my own model like;

class myUsers(models.Model):
    username = models.CharField(max_length=25, verbose_name='username', unique=True)
    email = models.CharField(max_length=225, verbose_name='email', unique=True)
    password = models.CharField(max_length=225, verbose_name='password')
    created_at = models.DateTimeField(auto_now_add=True, verbose_name='created date')
    secret_question = models.CharField(max_length=225, verbose_name='secret question')
    secret_answer = models.CharField(max_length=225, verbose_name='secret answer')
    last_login = models.DateTimeField(verbose_name='last login')
    secret_guid_key = models.CharField(max_length=15, verbose_name='recover key', unique=True, editable=False, default=uuid.uuid4().hex[:15])
    user_role = models.CharField(max_length=6, verbose_name='member role')
user518851726681
  • 147
  • 3
  • 11
  • django it self comes with a login/signup system and it is too easy to start with check this out[link](https://simpleisbetterthancomplex.com/tutorial/2016/06/27/how-to-use-djangos-built-in-login-system.html) – mohammedgqudah Oct 22 '17 at 15:24
  • @mohammedqudah thanks for the comment but I do not want to use that. I am just trying to make my own model. – user518851726681 Oct 22 '17 at 15:26
  • if you created your own user model just for the extra fields read this about extending user model in django [link](https://simpleisbetterthancomplex.com/tutorial/2016/07/22/how-to-extend-django-user-model.html) – mohammedgqudah Oct 22 '17 at 15:26
  • @bullception Would you please update your code with models also – Abdul Niyas P M Oct 22 '17 at 15:26
  • @ABDULNIYASPM I did. mohammedqudah thanks for article. – user518851726681 Oct 22 '17 at 16:38

5 Answers5

21

A User Object has a method called check_password() that hashes and checks your plain text password against the hashed password stored in the DB.

https://docs.djangoproject.com/en/2.2/ref/contrib/auth/#django.contrib.auth.models.User.check_password

Example Usage:

from account.models import myUsers

password = request.POST.get('password')
email = request.POST.get('email')

user = myUsers.objects.get(email=email)

if user.check_password(password):
    # Success Code
else:
    # Error Code
ASD
  • 337
  • 4
  • 11
1

i think you should try django authenticate function. 

user = authenticate(username=username, password=password)
jackquin
  • 534
  • 1
  • 7
  • 19
1

You shuoldn't compare passwords:

if myUsers.password == password ..:

but rather the hash of the password:

if myUsers.password == myPasswordHashFunction(password) ..:

how to write myPasswordHashFunction is something you should know in detail, or you're better off using django's authenticate function.

If you're not a security expert, then please (please!) don't invent your own way to authenticate and authorize users.

thebjorn
  • 26,297
  • 11
  • 96
  • 138
0

try this code:

from django.contrib.auth.models import auth

from django.contrib import messages


def signin(request):

    if request.method == 'POST':
        username = request.POST['username']
        password = request.POST['password']
        user = auth.authenticate(username=username, password=password)
        if user:
            auth.login(request, user)
            return redirect('/')
        else:
            messages.info(request, 'Invalid credentials!!')
            return redirect('signin')
    else:
        return render(request, 'signin.html')
Mahmoud Bayoumi
  • 1
-1

In default, the Django authentication system provided in django.contrib.auth requires the end user to authenticate themselves using a username and password. If you're using email and password for user authentication, you need a custom authentication backend. This link will help you.

Link : https://stackoverflow.com/a/37332393/9563316

If you use username and password for user authentication. You should try something like this.

from django.contrib.auth import authenticate, login
from django.contrib import messages

def userLogin(request):
    if request.method == 'POST':
        username = request.POST.get('username')
        password = request.POST.get('password')

        user = authenticate(request, username=username, password=password)

        if user is not None:
            login(request, user)
            return redirect('somewhere-you-want')          
        else:
            messages.error(request, 'Invalid user login credentials!')
            return redirect('userLogin')
    else:
        return render(request, 'login.html')

See docs here : https://docs.djangoproject.com/en/3.0/topics/auth/default/

BK94
  • 59
  • 1
  • 11