Building Data-Driven Web Apps with Pyramid and SQLAlchemy Transcripts
Chapter: User input and HTML forms
Lecture: Creating the user

Learn more about this course
Login or purchase this course to watch this video and the rest of the course contents.
0:00 We have the values: email, name and password and we validated that they're okay. We will improve on that but let's just roll with this.
0:08 Now it's time to actually create the user. So, how do we do that? Remember we have the user service. Let's put that logic right there
0:17 and let's just call create_user and pass the data. Of course PyCharm knows this doesn't exist and let's do like this, say user
0:30 and then we'll have a TODO: login user. I'll talk more about that in a moment but let's just first create that user so that they exist.
0:44 All right looks good to me except for the fact that it's returning None. How are we going to do this? Well at this point it's pretty straightforward
0:51 I say user = User() and then we're going to return user. Let's set all those values. What do you think? Yes? No? No. Don't do that. Be careful there
1:08 so what we want to do is we actually want to take this password and turn it into something that is completely irreversible.
1:16 Hopefully so computational expensive that people will try and then just go "forget this, this is not working.
1:23 I'm going to go hack some other site that is easier to get to." You know, this assumes they get ahold of the password hash
1:32 or something like that like if some data leaked but still you got to be really careful here storing this in our database.
1:37 We don't want to cause trouble. So how do we do that? Well, we're going to use this thing called Passlib. Passlib is really sweet. What it lets you do
1:46 is it lets you basically choose an encryption algorithm and then just hash it with what's called customized salt so it's extremely hard to guess.
1:57 It's not just guessing the password it's also guessing other stuff being factored in and then not just hashing it which is sort of a one way thing
2:06 but it can be, you can sort of brute force you can take a bunch of words and hash them and see if they match if you also knew the salt.
2:13 So what we're going to do here is hash it over and over and over like 100,000 times or something which will make it way harder.
2:20 So Passlib makes that super easy. So we're going to do this from passlib we want to install that package .handlers.sha2
2:35 we're going to import sha512crypt. Okay so this is pretty strong. Bcrypt would be better and they do support it
2:42 but Bcrypt, I believe, has stronger dependencies and in order to get it to work on your system. sha512 doesn't take any extra setup
2:50 so just for simplicity sake we're going to go with that. I'm going to just drop two functions in here hashing_text and verifying_text
2:58 so we're going to just call encrypt and we're going to say not just do it once with custom salt, do it 150,000 times and then you can just ask
3:06 given a plain text password do these match? So now we're just going to go over here and say hash_text password. Boom.
3:15 Now we're down to just standard database stuff. Remember it goes like this, session.commit() and then what are we going to do?
3:22 session.add(user). Well that's pretty much it. See in practice there might be some issues using this user
3:31 because once you commit you need to requery it from the database. We'll run into that later I'm sure and talk about it
3:38 but for now this should let us create the user.


Talk Python's Mastodon Michael Kennedy's Mastodon