CREATING AN AUTHENTICATION SERVICE IN PYTHON USING SALT
Coming across an authentication system as a programmer is very common because today almost every web system needs to control and maintain its customers' data and as most of them are sensitive resources, it is necessary to keep them secure. I like to think that security, like many non-functional requirements of an API, can be measured or tested by imagining various scenarios. In an authentication service, for example, we can think: what if someone tries to discover a user's password through brute force, what if another user tries to use another client's access token, what if, accidentally, two users create their credentials with the same password, etc.
By imagining these situations, we can anticipate and create preventive measures. Creating criteria for the password can make it very difficult to discover through brute force, or applying a rate limit to your API can prevent malicious actions, for example. In this article I intend to focus on the problem of the last scenario. Two users registering on the same system with the same password is a serious breach in the system.
It is good practice to keep user passwords encrypted at the bank, which keeps data safer from leaks. The code below shows how a simple credential registration system works in Python.
@dataclass
class CreateCredentialUsecase:
_credential_repository: CredentialRepositoryInterface
_password_salt_repository: PasswordSaltRepositoryInterface
async def handle(self, data: CreateCredentialInputDto) -> CreateCredentialOutputDto:
try:
now = datetime.now()
self.__hash = sha256()
self.__hash.update(data.password.encode())
self.__credential = Credential(
uuid4(), data.email, self.__hash.hexdigest(), now, now
)
credential_id = await self._credential_repository.create(self.__credential)
return CreateCredentialOutputDto(UUID(credential_id))
except Exception as e:
raise e
The first 4 lines are the class definition using the @dataclass decorator to omit the constructor method, its properties and the function signature. Inside the try/except block, the current timestamp is first defined, we instantiate the Hash object, update it with the password that is provided, save it in the bank and, finally, return the credential id to the user. Here you might think "okay... if the password is encrypted I don't need to worry, right?". However, this is not the case and I will explain.
What happens is that when passwords are encrypted this is done through a hash, a type of data structure that maps an input to a final value, however, if two inputs are the same, the same password is stored. This is the same as saying that the hash is deterministic. Note the example below that illustrates a simple table in a database that stores the user and hash.
| user | password |
|---|---|
| alice@example.com | 5e884898da28047151d0e56f8dc6292773603d0d |
| bob@example.com | 6dcd4ce23d88e2ee9568ba546c007c63e8f6f8d6 |
| carol@example.com | a3c5b2c98b4325c6c8c6f6e6dbda6cf17b5d7f9a |
| dave@example.com | 1a79a4d60de6718e8e5b326e338ae533 |
| eve@example.com | 5e884898da28047151d0e56f8dc6292773603d0d |
| frank@example.com | 7c6a180b36896a8a8c6a2c29e7d7b1d3 |
| grace@example.com | 3c59dc048e885024e146d1e4d9d0e4b2 |
Neste exemplo, as linhas 1 e 5 compartilham o mesmo hash e, portanto, a mesma senha. Para contornarmos esse problema podemos utilizar o salt.
Vamos colocar um pouco de sal nessa senha...
A ideia é que no momento do cadastro do usuário uma string seja gerada de forma aleatória e seja concatenada a senha do usuário antes das credenciais serem salvas no banco. Em seguida esse salt é salvo em uma tabela separada e deve ser utilizada novamente durante o login do usuário. O código alterado ficaria como o exemplo abaixo:
@dataclass
class CreateCredentialUsecase:
_credential_repository: CredentialRepositoryInterface
_password_salt_repository: PasswordSaltRepositoryInterface
async def handle(self, data: CreateCredentialInputDto) -> CreateCredentialOutputDto:
try:
now = datetime.now()
self.__salt = urandom(32)
self.__hash = sha256()
self.__hash.update(self.__salt + data.password.encode())
self.__credential = Credential(
uuid4(), data.email, self.__hash.hexdigest(), now, now
)
self.__salt = PasswordSalt(
uuid4(), self.__salt.hex(), self.__credential.id, now, now
)
credential_id = await self._credential_repository.create(self.__credential)
await self._password_salt_repository.create(self.__salt)
return CreateCredentialOutputDto(UUID(credential_id))
except Exception as e:
raise e
Agora é possível notar o salt gerado na linha 59. Em seguida ele é utilizado para gerar o hash junto com a senha que o usuário cadastrou, na linha 61. Por fim ele é instanciado através da classe PasswordSalt na linha 65 e armazenado no banco na linha 70. Por último, o código abaixo é o caso de uso de autenticação/login utilizando o salt.
@dataclass
class AuthUsecase:
_credential_repository: CredentialRepositoryInterface
_jwt_service: JWTService
_refresh_token_repository: RefreshTokenRepositoryInterface
async def handle(self, data: AuthInputDto) -> AuthOutputDto:
try:
ACCESS_TOKEN_HOURS_TO_EXPIRATION = int(
getenv("ACCESS_TOKEN_HOURS_TO_EXPIRATION")
)
REFRESH_TOKEN_HOURS_TO_EXPIRATION = int(
getenv("REFRESH_TOKEN_HOURS_TO_EXPIRATION")
)
self.__credential = await self._credential_repository.find_by_email(
data.email
)
if self.__credential is None:
raise InvalidCredentials()
self.__hash = sha256()
self.__hash.update(
bytes.fromhex(self.__credential.salt) + data.password.encode()
)
if self.__hash.hexdigest() != self.__credential.hashed_password:
raise InvalidCredentials()
access_token_expiration_time = datetime.now() + timedelta(
hours=(
ACCESS_TOKEN_HOURS_TO_EXPIRATION
if ACCESS_TOKEN_HOURS_TO_EXPIRATION is not None
else 24
)
)
refresh_token_expiration_time = datetime.now() + timedelta(
hours=(
REFRESH_TOKEN_HOURS_TO_EXPIRATION
if REFRESH_TOKEN_HOURS_TO_EXPIRATION is not None
else 48
)
)
access_token_payload = {
"credential_id": self.__credential.id,
"email": self.__credential.email,
"exp": access_token_expiration_time,
}
access_token = self._jwt_service.encode(access_token_payload)
refresh_token_payload = {
"exp": refresh_token_expiration_time,
"context": {
"credential": {
"id": self.__credential.id,
"email": self.__credential.email,
},
},
}
refresh_token = self._jwt_service.encode(refresh_token_payload)
print(self._jwt_service.decode(refresh_token))
now = datetime.now()
await self._refresh_token_repository.create(
RefreshToken(
uuid4(),
refresh_token,
False,
self.__credential.id,
refresh_token_expiration_time,
now,
now,
now,
)
)
return AuthOutputDto(
UUID(self.__credential.id),
self.__credential.email,
access_token,
refresh_token,
)
except Exception as e:
raise e
O tempo de expiração dos tokens é recuperado através de variáveis de ambiente e a credencial com o salt são recuperados através do email. Entre as linhas 103 e 106 a senha fornecida pelo usuário é concatenada ao salt e o hash dessa string resultante é gerado, assim é possível comparar com a senha armazenada no banco. Por fim acontecem os processos de criação dos access_token e refresh_token, o armazenamento do refresh_token e o retorno dos mesmos ao client. Utilizar essa técnica é bem simples e permite fechar uma falha de segurança no seu sistema, além de dificultar alguns outros possíveis ataques. O código exposto no texto faz parte de um projeto maior meu e está no meu github: https://github.com/geovanymds/auth.
Espero que esse texto tenha sido útil para deixar os processos de autenticação no seu sistem mais seguros. Nos vemos no próximo artigo!
The above is the detailed content of CREATING AN AUTHENTICATION SERVICE IN PYTHON USING SALT. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1664
14
1421
52
1315
25
1266
29
1239
24
Python vs. C : Applications and Use Cases Compared
Apr 12, 2025 am 12:01 AM
Python is suitable for data science, web development and automation tasks, while C is suitable for system programming, game development and embedded systems. Python is known for its simplicity and powerful ecosystem, while C is known for its high performance and underlying control capabilities.
The 2-Hour Python Plan: A Realistic Approach
Apr 11, 2025 am 12:04 AM
You can learn basic programming concepts and skills of Python within 2 hours. 1. Learn variables and data types, 2. Master control flow (conditional statements and loops), 3. Understand the definition and use of functions, 4. Quickly get started with Python programming through simple examples and code snippets.
Python: Games, GUIs, and More
Apr 13, 2025 am 12:14 AM
Python excels in gaming and GUI development. 1) Game development uses Pygame, providing drawing, audio and other functions, which are suitable for creating 2D games. 2) GUI development can choose Tkinter or PyQt. Tkinter is simple and easy to use, PyQt has rich functions and is suitable for professional development.
Python vs. C : Learning Curves and Ease of Use
Apr 19, 2025 am 12:20 AM
Python is easier to learn and use, while C is more powerful but complex. 1. Python syntax is concise and suitable for beginners. Dynamic typing and automatic memory management make it easy to use, but may cause runtime errors. 2.C provides low-level control and advanced features, suitable for high-performance applications, but has a high learning threshold and requires manual memory and type safety management.
How Much Python Can You Learn in 2 Hours?
Apr 09, 2025 pm 04:33 PM
You can learn the basics of Python within two hours. 1. Learn variables and data types, 2. Master control structures such as if statements and loops, 3. Understand the definition and use of functions. These will help you start writing simple Python programs.
Python and Time: Making the Most of Your Study Time
Apr 14, 2025 am 12:02 AM
To maximize the efficiency of learning Python in a limited time, you can use Python's datetime, time, and schedule modules. 1. The datetime module is used to record and plan learning time. 2. The time module helps to set study and rest time. 3. The schedule module automatically arranges weekly learning tasks.
Python: Exploring Its Primary Applications
Apr 10, 2025 am 09:41 AM
Python is widely used in the fields of web development, data science, machine learning, automation and scripting. 1) In web development, Django and Flask frameworks simplify the development process. 2) In the fields of data science and machine learning, NumPy, Pandas, Scikit-learn and TensorFlow libraries provide strong support. 3) In terms of automation and scripting, Python is suitable for tasks such as automated testing and system management.
Python: Automation, Scripting, and Task Management
Apr 16, 2025 am 12:14 AM
Python excels in automation, scripting, and task management. 1) Automation: File backup is realized through standard libraries such as os and shutil. 2) Script writing: Use the psutil library to monitor system resources. 3) Task management: Use the schedule library to schedule tasks. Python's ease of use and rich library support makes it the preferred tool in these areas.
