"email": "johndoe@example.com",
"hashed_password": "fakehashedsecret",
"disabled": False,
+ },
+ "alice": {
+ "username": "alice",
+ "full_name": "Alice Wonderson",
+ "email": "alice@example.com",
+ "hashed_password": "fakehashedsecret2",
+ "disabled": True,
}
}
if not user_dict:
raise HTTPException(status_code=400, detail="Incorrect username or password")
user = UserInDB(**user_dict)
- hashed_password = fake_hash_password(data.password)
+ hashed_password = fake_hash_password(form_data.password)
if not hashed_password == user.hashed_password:
raise HTTPException(status_code=400, detail="Incorrect username or password")
* The **database model** would probably need to have a hashed password.
!!! danger
- Never store user's plaintext passwords. Always store a secure hash that you can then verify.
+ Never store user's plaintext passwords. Always store a "secure hash" that you can then verify.
+
+ If you don't know, you will learn what a "password hash" is in the <a href="/tutorial/security/simple-oauth2/#password-hashing" target="_blank">security chapters</a>.
## Multiple models
{!./src/extra_models/tutorial001.py!}
```
+#### About `**user_dict`
+
+`UserInDB(**user_dict)` means:
+
+Pass the keys and values of the `user_dict` directly as key-value arguments, equivalent to:
+
+```Python
+UserInDB(
+ username = user_dict["username"],
+ password = user_dict["password"],
+ email = user_dict["email"],
+ full_name = user_dict["full_name"],
+)
+```
+
+And then adding the extra `hashed_password=hashed_password`, like in:
+
+```Python
+UserInDB(**user_in.dict(), hashed_password=hashed_password)
+```
+
+...ends up being like:
+
+```Python
+UserInDB(
+ username = user_dict["username"],
+ password = user_dict["password"],
+ email = user_dict["email"],
+ full_name = user_dict["full_name"],
+ hashed_password = hashed_password,
+)
+```
+
!!! warning
The supporting additional functions are just to demo a possible flow of the data, but they of course are not providing any real security.
So, install PassLib with Bcrypt:
-```Python
+```bash
pip install passlib[bcrypt]
```
First, import `OAuth2PasswordRequestForm`, and use it as a dependency with `Depends` for the path `/token`:
-```Python hl_lines="2 66"
+```Python hl_lines="2 73"
{!./src/security/tutorial003.py!}
```
For the error, we use the exception `HTTPException` provided by Starlette directly:
-```Python hl_lines="4 67 68 69"
+```Python hl_lines="4 74 75 76"
{!./src/security/tutorial003.py!}
```
If the passwords don't match, we return the same error.
-```Python hl_lines="70 71 72 73"
+#### Password hashing
+
+"Hashing" means: converting some content (a password in this case) into a sequence of bytes (just a string) that look like gibberish.
+
+Whenever you pass exactly the same content (exactly the same password) you get exactly the same gibberish.
+
+But you cannot convert from the gibberish back to the password.
+
+##### What for?
+
+If your database is stolen, the thief won't have your users' plaintext passwords, only the hashes.
+
+So, the thief won't be able to try to use that password in another system (as many users use the same password everywhere, this would be dangerous).
+
+```Python hl_lines="77 78 79 80"
{!./src/security/tutorial003.py!}
```
But for now, let's focus on the specific details we need.
-```Python hl_lines="75"
+```Python hl_lines="82"
{!./src/security/tutorial003.py!}
```
So, in our endpoint, we will only get a user if the user exists, was correctly authenticated, and is active:
-```Python hl_lines="50 51 52 53 54 55 56 59 60 61 62 79"
+```Python hl_lines="57 58 59 60 61 62 63 66 67 68 69 86"
{!./src/security/tutorial003.py!}
```
Use the credentials:
User: `johndoe`
+
Password: `secret`
<img src="/img/tutorial/security/image04.png">
}
```
+### Inactive user
+
+Now try with an inactive user, authenticate with:
+
+User: `alice`
+
+Password: `secret2`
+
+And try to use the operation `GET` with the path `/users/me`.
+
+You will get an "inactive user" error, like:
+
+```JSON
+{
+ "detail": "Inactive user"
+}
+```
+
## Recap
You now have the tools to implement a complete security system based on `username` and `password` for your API.
projects / thirdparty / fastapi / fastapi.git / commitdiff
