use bcrypt's checkpw instead of ==

author Bruno P. Kinoshita <kinow@users.noreply.github.com>

Fri, 29 Nov 2019 10:49:35 +0000 (23:49 +1300)

committer Bruno P. Kinoshita <kinow@users.noreply.github.com>

Fri, 29 Nov 2019 10:49:35 +0000 (23:49 +1300)
author Bruno P. Kinoshita <kinow@users.noreply.github.com>
Fri, 29 Nov 2019 10:49:35 +0000 (23:49 +1300)
committer Bruno P. Kinoshita <kinow@users.noreply.github.com>
Fri, 29 Nov 2019 10:49:35 +0000 (23:49 +1300)
diff --git a/demos/blog/blog.py b/demos/blog/blog.py

index 61771bf2f6534a7f63cc3d0c12ba3205c316dd60..4f57d464c420c3525574f0ce8842d786f3897f0f 100755 (executable)
--- a/demos/blog/blog.py
+++ b/demos/blog/blog.py
@@ -266,14 +266,13 @@ class AuthLoginHandler(BaseHandler):
          except NoResultError:
              self.render("login.html", error="email not found")
              return
-        hashed_password = await tornado.ioloop.IOLoop.current().run_in_executor(
+        password_equal = await tornado.ioloop.IOLoop.current().run_in_executor(
              None,
-            bcrypt.hashpw,
+            bcrypt.checkpw,
              tornado.escape.utf8(self.get_argument("password")),
              tornado.escape.utf8(author.hashed_password),
          )
-        hashed_password = tornado.escape.to_unicode(hashed_password)
-        if hashed_password == author.hashed_password:
+        if password_equal:
              self.set_secure_cookie("blogdemo_user", str(author.id))
              self.redirect(self.get_argument("next", "/"))
          else:
author	Bruno P. Kinoshita <kinow@users.noreply.github.com>
	Fri, 29 Nov 2019 10:49:35 +0000 (23:49 +1300)
committer	Bruno P. Kinoshita <kinow@users.noreply.github.com>
	Fri, 29 Nov 2019 10:49:35 +0000 (23:49 +1300)