home > User Authentication with PostgreSQL database

User Authentication with PostgreSQL database

Problem

  • You want a system to authenticate users, with a postgresql database.

Solution

  • A user authentication system could have a lot of functions. For this example, we're only going to manage the authentication process, through a postgresql database.

Needed

  • web.py for all the web functions, and hashlib to store the passwords securely:

    import web import hashlib

1st: The database

First of all, we need a table for the users. This scheme is very simple, but is enough for a lot of projects.

#

CREATE TABLE example_users
(
  id serial NOT NULL,
  user character varying(80) NOT NULL,
  pass character(40) NOT NULL,
  email character varying(100) NOT NULL,
  privilege integer NOT NULL DEFAULT 0,
  CONSTRAINT utilisateur_pkey PRIMARY KEY (id)
)

2nd: the urls

There will be 2 states during the login/logout session:

  • "Login" is for the login page

  • "Reset" for the logout page.

sessions doesn't work in debug mode because it interfere with reloading. see session_with_reloader for more details.

#

web.config.debug = False

urls = (
  '/login', 'Login',
  '/reset', 'Reset',
)
app = web.application(urls, locals())
db = web.database(dbn='postgres', db='YOURDB', user='USERNAME', pw='PASSWORD')

store = web.session.DiskStore('sessions')
session = web.session.Session(app, store,
                              initializer={'login': 0, 'privilege': 0})

3rd: Logged or not logged ?

To manage the access for people who are logged or not is very easy. Just define the logged expression like this, and use it for your login/reset classes:

#

def logged():
    if session.login==1:
        return True
    else:
        return False

4th: Easy Privleges Management

I manage my users in 4 categories: admin+user+reader (logged), and visitors (not logged). The directory template is choosing according to the privilege specified in the table example_users.

#

def create_render(privilege):
    if logged():
        if privilege == 0:
            render = web.template.render('templates/reader')
        elif privilege == 1:
            render = web.template.render('templates/user')
        elif privilege == 2:
            render = web.template.render('templates/admin')
        else:
            render = web.template.render('templates/communs')
    else:
        render = web.template.render('templates/communs')
    return render

5th: Login and Reset Python Classes

Now, let's have fun: - If you are already logged, you are redirecting to the login_double.html template file - Else, to the login.html.

#

class Login:

    def GET(self):
        if logged():
            render = create_render(session.privilege)
            return '%s' % render.login_double()
        else:
            render = create_render(session.privilege)
            return '%s' % render.login()
  • Ok, ok. Now, for the POST(). According to the .html file, we recover the variables posted in the form (see the login.html), and we compare it to the example_users.user row.
  • For security, we don't store passwords in the database directly, but store the hash of the password + salt; this is kind of line one-way encryption, so we can tell if the user's passwords match, but an attacker couldn't figure out what the password was to start with.
  • If the login/pass is ok, redirect to the login_ok.html.
  • If not, redirect to the login_error.html.

    def POST(self):
        name, passwd = web.input().name, web.input().passwd
        ident = db.select('example_users', where='name=$name', vars=locals())[0]
        try:
            if hashlib.sha1("sAlT754-"+passwd).hexdigest() == ident['pass']:
                session.login = 1
                session.privilege = ident['privilege']
                render = create_render(session.privilege)
                return render.login_ok()
            else:
                session.login = 0
                session.privilege = 0
                render = create_render(session.privilege)
                return render.login_error()
        except:
            session.login = 0
            session.privilege = 0
            render = create_render(session.privilege)
            return render.login_error()

For the reset function, we just kill the session, and redirect to the logout.html template file.

#

class Reset:

    def GET(self):
        session.login = 0
        session.kill()
        render = create_render(session.privilege)
        return render.logout()

6th: HTML templates help

Well, I think that nobody will need this, but, I prefer to give all the informations. The most important is the login.html.

#

<form action="/login" method="POST">
    <table id="login">
        <tr>
            <td>User: </td>
            <td><input type="text" name="user"></td>
        </tr>
        <tr>
            <td>Password: </td>
            <td><input type="password" name="passwd"></td>
        </tr>
        <tr>
            <td></td>
            <td><input type="submit" value="LOGIN"></td>
        </tr>
    </table>
</form>

7th: Some problems or questions ?

  • Mail: you can contact me at guillaume(at)process-evolution(dot)fr
  • IRC: #webpy on irc.freenode.net (pseudo: Ephedrax)
  • Translations: I'm french, and my english is bad...you can edit my work
  • Revision: Vayn