[Twisted-Python] Getting my Cred interfaces right: IUsername(Hashed)?Password

exarkun at twistedmatrix.com exarkun at twistedmatrix.com
Wed Nov 14 07:29:56 EST 2012

On 09:05 am, _ at lvh.cc wrote:
>I'm trying to make sure that I have my cred interfaces right.
>Users log in using a username and password. They provide these 
>in plaintext (over a TLSd connection). The user password is stored 
>using a
>secure key derivation function (in casu, scrypt).
>Currently I have this gumongous User object (an Axiom Item), and I'm 
>to split it up into parts. IIUC, the checker's checked interface should 
>IUsernamePassword (that's already the case). However, the thing I adapt 
>User to to check it should be an IUsernameHashedPassword, right?

This isn't right.  The point of declaring interfaces on the checker is 
so the system knows what kind of credentials it can check.  If your 
credentials object implements a different interface than your checker 
declares it can check, the system won't ever ask the checker to check 
the credentials.

It sounds like you might have something extra going on beyond the normal 
usage of cred, which perhaps makes the idea you've written about here 
work somehow - but I don't know what the extra something is, and it 
probably doesn't apply to cred usage in general (ie, perhaps it is a 
particularity of Axiom).

>In the end, I doubt this matters an awful lot, unless somebody ends up
>implementing a IUsernameHashedPassword checker that is smart enough to 
>both scrypt/bcrypt headers and /etc/shadow-style $-delimited entries.

More information about the Twisted-Python mailing list