Building data-driven web apps with Pyramid and SQLAlchemy Transcripts
Chapter: User input and HTML forms
Lecture: Creating the user
0:00 We have the values: email, name and password
0:02 and we validated that they're okay.
0:05 We will improve on that but let's just roll with this.
0:07 Now it's time to actually create the user.
0:09 So, how do we do that?
0:13 Remember we have the user service.
0:14 Let's put that logic right there
0:16 and let's just call create_user and pass the data.
0:22 Of course PyCharm knows this doesn't exist
0:26 and let's do like this, say user
0:29 and then we'll have a TODO: login user.
0:32 I'll talk more about that in a moment
0:34 but let's just first create that user so that they exist.
0:43 All right looks good to me
0:44 except for the fact that it's returning None.
0:47 How are we going to do this?
0:48 Well at this point it's pretty straightforward
0:50 I say user = User()
0:53 and then we're going to return user.
0:56 Let's set all those values.
1:00 What do you think? Yes? No?
1:03 No. Don't do that. Be careful there
1:07 so what we want to do is we actually want
1:08 to take this password
1:10 and turn it into something that is completely irreversible.
1:15 Hopefully so computational expensive that people will try
1:19 and then just go "forget this, this is not working.
1:22 I'm going to go hack some other site that is easier to get to."
1:29 You know, this assumes they get ahold of the password hash
1:31 or something like that like if some data leaked
1:33 but still you got to be really careful here
1:35 storing this in our database.
1:36 We don't want to cause trouble.
1:37 So how do we do that?
1:39 Well, we're going to use this thing called Passlib.
1:42 Passlib is really sweet. What it lets you do
1:45 is it lets you basically choose an encryption algorithm
1:49 and then just hash it with what's called customized salt
1:54 so it's extremely hard to guess.
1:56 It's not just guessing the password
1:57 it's also guessing other stuff being factored in
2:00 and then not just hashing it
2:03 which is sort of a one way thing
2:05 but it can be, you can sort of brute force
2:07 you can take a bunch of words
2:09 and hash them and see if they match
2:10 if you also knew the salt.
2:12 So what we're going to do here is hash it
2:14 over and over and over like 100,000 times or something
2:18 which will make it way harder.
2:19 So Passlib makes that super easy.
2:22 So we're going to do this from passlib
2:25 we want to install that package .handlers.sha2
2:34 we're going to import sha512crypt.
2:38 Okay so this is pretty strong.
2:39 Bcrypt would be better and they do support it
2:41 but Bcrypt, I believe, has stronger dependencies
2:44 and in order to get it to work on your system.
2:47 sha512 doesn't take any extra setup
2:49 so just for simplicity sake we're going to go with that.
2:52 I'm going to just drop two functions in here
2:55 hashing_text and verifying_text
2:57 so we're going to just call encrypt
3:00 and we're going to say not just do it once
3:02 with custom salt, do it 150,000 times
3:04 and then you can just ask
3:05 given a plain text password do these match?
3:10 So now we're just going to go over here
3:11 and say hash_text password. Boom.
3:14 Now we're down to just standard database stuff.
3:16 Remember it goes like this, session.commit()
3:20 and then what are we going to do?
3:21 session.add(user). Well that's pretty much it.
3:27 See in practice there might be some issues using this user
3:30 because once you commit you need to requery it
3:33 from the database.
3:34 We'll run into that later I'm sure and talk about it
3:37 but for now this should let us create the user.