From: Bruno P. Kinoshita <kinow@users.noreply.github.com>
Date: Fri, 29 Nov 2019 10:49:35 +0000 (+1300)
Subject: use bcrypt's checkpw instead of ==
X-Git-Tag: v6.1.0b1~41^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2783%2Fhead;p=thirdparty%2Ftornado.git

use bcrypt's checkpw instead of ==
---

diff --git a/demos/blog/blog.py b/demos/blog/blog.py
index 61771bf2f..4f57d464c 100755
--- a/demos/blog/blog.py
+++ b/demos/blog/blog.py
@@ -266,14 +266,13 @@ class AuthLoginHandler(BaseHandler):
         except NoResultError:
             self.render("login.html", error="email not found")
             return
-        hashed_password = await tornado.ioloop.IOLoop.current().run_in_executor(
+        password_equal = await tornado.ioloop.IOLoop.current().run_in_executor(
             None,
-            bcrypt.hashpw,
+            bcrypt.checkpw,
             tornado.escape.utf8(self.get_argument("password")),
             tornado.escape.utf8(author.hashed_password),
         )
-        hashed_password = tornado.escape.to_unicode(hashed_password)
-        if hashed_password == author.hashed_password:
+        if password_equal:
             self.set_secure_cookie("blogdemo_user", str(author.id))
             self.redirect(self.get_argument("next", "/"))
         else: