andrewdesantis.com : User Authentication with PostgreSQL database

User Authentication with PostgreSQL database

##Problem

  • You want a system to authenticate users, with a postgresql database.

##Solution

  • A user authentication system could have a lot of functions. For this example, we’re only going to manage the authentication process, through a postgresql database.

##Needed

  • web.py for all the web functions, and hashlib to store the passwords securely:

    import web import hashlib

1st: The database

First of all, we need a table for the users. This scheme is very simple, but is enough for a lot of projects.

## CREATE TABLE example_users ( id serial NOT NULL, user character varying(80) NOT NULL, pass character(40) NOT NULL, email character varying(100) NOT NULL, privilege integer NOT NULL DEFAULT 0, CONSTRAINT utilisateur_pkey PRIMARY KEY (id) )

2nd: the urls

There will be 2 states during the login/logout session:

  • “Login” is for the login page

  • “Reset” for the logout page.

sessions doesn’t work in debug mode because it interfere with reloading. see session_with_reloader for more details.

## web.config.debug = False

urls = (
  '/login', 'Login',
  '/reset', 'Reset',
)
app = web.application(urls, locals())
db = web.database(dbn='postgres', db='YOURDB', user='USERNAME', pw='PASSWORD')

store = web.session.DiskStore('sessions')
session = web.session.Session(app, store,
                              initializer={'login': 0, 'privilege': 0})

3rd: Logged or not logged ?

To manage the access for people who are logged or not is very easy. Just define the logged expression like this, and use it for your login/reset classes:

## def logged(): if session.login==1: return True else: return False

4th: Easy Privleges Management

I manage my users in 4 categories: admin+user+reader (logged), and visitors (not logged). The directory template is choosing according to the privilege specified in the table example_users.

## def create_render(privilege): if logged(): if privilege == 0: render = web.template.render(‘templates/reader’) elif privilege == 1: render = web.template.render(‘templates/user’) elif privilege == 2: render = web.template.render(‘templates/admin’) else: render = web.template.render(‘templates/communs’) else: render = web.template.render(‘templates/communs’) return render

5th: Login and Reset Python Classes

Now, let’s have fun:

  • If you are already logged, you are redirecting to the login_double.html template file
  • Else, to the login.html.

## class Login:

    def GET(self):
        if logged():
            render = create_render(session.privilege)
            return '%s' % render.login_double()
        else:
            render = create_render(session.privilege)
            return '%s' % render.login()
  • Ok, ok. Now, for the POST(). According to the .html file, we recover the variables posted in the form (see the login.html), and we compare it to the example_users.user row.
  • For security, we don’t store passwords in the database directly, but store the hash of the password + salt; this is kind of line one-way encryption, so we can tell if the user’s passwords match, but an attacker couldn’t figure out what the password was to start with.
  • If the login/pass is ok, redirect to the login_ok.html.
  • If not, redirect to the login_error.html.

## def POST(self): name, passwd = web.input().name, web.input().passwd ident = db.select(‘example_users’, where=’name=$name’, vars=locals())[0] try: if hashlib.sha1(“sAlT754-“+passwd).hexdigest() == ident[‘pass’]: session.login = 1 session.privilege = ident[‘privilege’] render = create_render(session.privilege) return render.login_ok() else: session.login = 0 session.privilege = 0 render = create_render(session.privilege) return render.login_error() except: session.login = 0 session.privilege = 0 render = create_render(session.privilege) return render.login_error()

For the reset function, we just kill the session, and redirect to the logout.html template file. ## class Reset:

    def GET(self):
        session.login = 0
        session.kill()
        render = create_render(session.privilege)
        return render.logout()

6th: HTML templates help

Well, I think that nobody will need this, but, I prefer to give all the informations. The most important is the login.html.

## <form action="/login" method="POST"> <table id="login"> <tr> <td>User: </td> <td></td> </tr> <tr> <td>Password: </td> <td></td> </tr> <tr> <td></td> <td></td> </tr> </table> </form>

7th: Some problems or questions ?

  • Mail: you can contact me at guillaume(at)process-evolution(dot)fr
  • IRC: #webpy on irc.freenode.net (pseudo: Ephedrax)
  • Translations: I’m french, and my english is bad…you can edit my work
  • Revision: Vayn