I have got keyring concept. And I'm trying to get the username list from it.
Unfortunately it seems there is no function for get saved username list.
I hope to show the saved list and choose one for auto logging.
Even though there is credential, it shows only at least username.
If there is no function about it, I will make to username list when login info is saved.
But I don't want it purely. Is there any library for saving data like keyring mechanism?
(encoding and saving private region each machine, but without password. Only String like username)
Related
I'm making an application where there are user accounts in play.
All data of the user is encrypted using a key. This key is encrypted itself, using the hash of the user password. This means that when the user logs in with the correct password, the resulting hash will decrypt the key which can then be used to decrypt all other data of the user. The user password is the "gate" to all user data.
Forgetting their user password means losing their account. I want to implement a way to recover their account.
To recover their account, it needs to be possible to recover the decrypted key without storing it in decrypted form in the database and without encrypting it using a password. It needs to be recoverable using email recovery or something similar.
I haven't found a way to make this work and that's why I'm asking help. I don't need code (it's written in python though if you really want to); just pseudo-code about how one should go about implementing this is enough.
Basically, I have built a login system.
The first time that a user uses the login system, a text file is created and the username and password are saved there when the user uses a "remember password?" function.
The second time the software uses the system, the system already has the user and password typed in if the user previously used the "remember password?" function.
The thing is, the text file where the password and user are stored can be accessed by simply just going to folder and double clicking on it, which is awful for security reasons.
Is it possible to make it so that the text file can't be accessed outside the program?
It's not possible, as long as you are storing data on your disk, the data will always be readable.
Actuall when you uses .txt, it means that you want it to be readable to others. If you are looking for security, you have to encode your content(Account & Password) to something else that only your program can read.
something similar to chaning 'A' to 'B', '1' to '0', '0' to '7'.....
or another approach used by modern Login Sytem: Hashing your Password
Basically, there isn't a way to securely store a password in clear in a file in the file system.
You can arrange things so that a file can only be read by a specific account on the system. However, someone with admin privilege will (probably) be able to do things that will give themselves access. And there will most likely be other ways to break file system security in some circumstances.
The ideal solution is to NOT store the password. Even storing it encrypted with a private key is a bad idea.
Creating and storing a "salted hash" of a password can be secure ... provided that there is no way that a "bad guy" can capture the password characters before they have been hashed, but I don't think that is going to help you here ... since you apparently need to be able to recover the actual password.
Maybe the best approach would be to investigate "password safe" or "key chain" products that are provided by the client's OS or web browser. Unfortunately, this is going to be platform specific.
You could also just "hide" the file containing the password, or (reversibly) obscure the password. But this is insecure. It can easily be defeated by reverse engineering the steps that your code is taking to hide the password.
I need to provide password recovery token in order to test it's functionality with integration test. But I can't trace the place its stored.
Apparently it doesn't. It hashes the user's current password [hash] and their id and sends that as token. Which is entirely reasonable, since that's already user-specific information stored in the database, no need to generate yet another token. And it will even invalidate itself once the password has been changed. I'd probably add a timestamp somewhere in there though so the link isn't valid forever.
Im trying to send a simple email to do the password recover of a user, the input is just a email to send the new password..
But i can't... i get this error
SMTPServerDisconnected: please run connect() first
I already tried a few examples, like, https://bitbucket.org/andialbrecht/appengine_emailbackends/overview, but i get the same error
I really need this, maybe someone can tell me how to use an alternative to code in my view to send an email...Also i changed the backend to
EMAIL_BACKEND = 'djangoappengine.mail.EmailBackend'
but nothing,i don't know how to use this backend anyway :(
Plz Help :(
maybe someone can tell me how to use an alternative to code in my view to send an email...
I can help with this, seeing as it seems that perhaps this repository you're trying to use is based on an earlier version of App Engine and is throwing the error due to a required code change somewhere in the library - either that or the fact that you changed the string from what the library recommends (your version: 'djangoappengine.mail.EmailBackend') to a string that seems to not be correct, as it's different to what the author of the repository directed you to use (their version: 'appengine_emailbackend.EmailBackend'), and this is causing trouble.
Whenever possible, I'd recommend seeing if there is an "app-engine-y" way to do something, before going to a third-party library or deploying a module somebody else wrote to hack in third-party capabilities, or looking for an advanced/experimental feature (for example, use Datastore first, rather than remotely connecting to a MySQL VM, unless you need MySQL). If you absolutely need that library, this is a different story, but if you just want to send emails, the Mail API is what you need. It's a convenient way to send emails on App Engine.
I'm going to assume in the following that you are storing your user's usernames and hashed passwords in custom-defined User-kind entities in your Datastore. If you have your users using simple OAuth to sign into your site, there is never any reason to "reset/recover password":
Create the <form action="/some/route" action="POST"> element on
the page where the user requests password recovery.
Put the code responsible for handling this form submission (they will input their email, or whatever account info they need for your code to find their User entity in the Datastore in a handler that will respond on that route.
In the handler, generate a unique token and store it in the Datastore. Send the token in the email that you generate and send using the Mail API (see the example code in the link to the docs I provided). This will allow your user to return to your site, authenticate with the token from the email, and then fill out a form to create a new password. You will then hash this password (with a salt) and store it in their User entity in your Datastore.
I'm skipping over the details of how to implement a "password recovery form", given what I said about OAuth and that you are probably really only concerned with how to send mail. In the email you send, for example, you can insert a hyperlink to your site with the token already inserted as a query param, so that the user doesn't have to copy and paste, etc.
I am writing an application in GAE. In order to link the currently logged in user to data in my application I have been relying on equality between users.get_current_user() and members.user (see model below). Where I run into trouble is when the user signs in with an email address using different capitalization than his/her initial login (janeDoe#example.com != janedoe#example.com). What is the most reliable way to link the current user to application specific data?
class members(db.Model):
firstName=db.StringProperty(verbose_name='First Name',required=True)
lastName=db.StringProperty(verbose_name='Last Name',required=True)
user=db.UserProperty()
Don't use the username - call user.user_id(), and compare on that. It's guaranteed to remain the same, even if nickname or email address change.
Always convert username to lowercase and then do operations on it: when storing the first time and on later comparisons.