Django意外地只存储密码散列,而不存储算法参数
我有一个Django应用程序,可以在本地正常工作。它在迁移中创建一个用户:Django意外地只存储密码散列,而不存储算法参数,django,django-authentication,Django,Django Authentication,我有一个Django应用程序,可以在本地正常工作。它在迁移中创建一个用户: superuser = User.objects.create_superuser( username=username, email=email, password=password ) superuser.save() 它在本地创建了一个密码结构,正如我所期望的那样: MySQL [XXXX]> select * from auth_user; +----+------------------------
superuser = User.objects.create_superuser(
username=username, email=email, password=password
)
superuser.save()
它在本地创建了一个密码结构,正如我所期望的那样:
MySQL [XXXX]> select * from auth_user;
+----+---------------------------------------------------------------------------+----------------------------+--------------+----------+------------+-----------+-------------------+----------+-----------+----------------------------+
| id | password | last_login | is_superuser | username | first_name | last_name | email | is_staff | is_active | date_joined |
+----+---------------------------------------------------------------------------+----------------------------+--------------+----------+------------+-----------+-------------------+----------+-----------+----------------------------+
| 5 | argon2$argon2i$v=19$m=512,t=2,p=2$SXXXXXXXXXX2eVFl$KZdVItv/XXXXXXXXXXXuRg | 2020-05-15 16:26:01.713174 | 1 | internal | | | XXX@XXX.org | 1 | 1 | 2020-05-15 16:25:12.438746 |
+----+---------------------------------------------------------------------------+----------------------------+--------------+----------+------------+-----------+-------------------+----------+-----------+----------------------------+
在生产中,它做了一些非常奇怪的事情,存储哈希,但不存储任何算法数据:
MySQL [XXXX]> select * from auth_user;
+----+-------------------------------------------+------------+--------------+----------+------------+-----------+-------------------+----------+-----------+----------------------------+
| id | password | last_login | is_superuser | username | first_name | last_name | email | is_staff | is_active | date_joined|
+----+-------------------------------------------+------------+--------------+----------+------------+-----------+-------------------+----------+-----------+----------------------------+
| 1 | !rbx7XXXXXXXXXXXXXXXXu7o84FNI3tZcQc5Lgkqt | NULL | 1 | internal | | | XXX@XXX.org | 1 | 1 | 2020-05-15 09:43:49.955879|
+----+-------------------------------------------+------------+--------------+----------+------------+-----------+-------------------+----------+-----------+----------------------------+
我已经验证了相同的docker映像校验和用于本地测试和远程测试。我的要求文件是:
#
# This file is autogenerated by pip-compile
# To update, run:
#
# pip-compile requirements.in
#
argon2-cffi==19.2.0 # via django
boto==2.49.0 # via django-ses
brotli==1.0.7 # via whitenoise
certifi==2020.4.5.1 # via requests, sentry-sdk
cffi==1.14.0 # via argon2-cffi
chardet==3.0.4 # via requests
django-environ==0.4.5 # via -r requirements.in
django-ipware==2.1.0 # via django-structlog
django-prometheus==1.1.0 # via -r requirements.in
django-ses==0.8.14 # via -r requirements.in
django-structlog==1.5.2 # via -r requirements.in
django-zxcvbn-password==2.1.0 # via -r requirements.in
django[argon2]==2.2.3 # via -r requirements.in, django-structlog, djangorestframework
djangorestframework==3.11.0 # via -r requirements.in
future==0.18.2 # via django-ses
gunicorn==20.0.4 # via -r requirements.in
idna==2.9 # via requests
incuna-mail==4.0.0 # via -r requirements.in
mysqlclient==1.4.6 # via -r requirements.in
prometheus-client==0.7.1 # via django-prometheus
pycparser==2.20 # via cffi
pytz==2019.3 # via django, django-ses
requests==2.23.0 # via -r requirements.in
sentry-sdk==0.14.3 # via -r requirements.in
six==1.14.0 # via -r requirements.in, argon2-cffi, structlog
sqlparse==0.3.1 # via django
structlog==20.1.0 # via django-structlog
urllib3==1.25.9 # via requests, sentry-sdk
whitenoise[brotli]==5.0.1 # via -r requirements.in
zxcvbn==4.4.28 # via django-zxcvbn-password
# The following packages are considered to be unsafe in a requirements file:
# setuptools
什么原因会导致这种情况?这是由配置中提供的空白密码导致设置了不可用的密码造成的
User.objects.create\u superuser
在提供空字符串时设置不可用的密码。文件说:
如果未提供密码,将调用set_unusable_password()
然而,空字符串似乎被视为“无密码”(这是出乎意料的,尽管鉴于Python对空字符串的错误处理,这并不奇怪)。服务的配置中有一个错误,导致向其传递一个空密码
出现意外的不同格式的原因是无法使用的密码似乎没有使用相同的哈希函数结构 您是否有相同的生产设置(密码哈希器等),是否使用默认的create_superuser功能这可能是一个小错误,配置缺少密码,导致设置了“无法使用的密码”。只是确认一下。我不会投票关闭它,因为它是django auth库中意外行为造成的真正的头痛。我打赌这会把其他人赶出去。