Swap user_can_authenticate and check_password in if statement#16969
Closed
ebram96 wants to merge 1 commit intodjango:mainfrom
Closed
Swap user_can_authenticate and check_password in if statement#16969ebram96 wants to merge 1 commit intodjango:mainfrom
ebram96 wants to merge 1 commit intodjango:mainfrom
Conversation
Make user_can_authenticate the left operand and check_password the right operand in if statement because user_can_authenticate does no complex logic but check_password does. This can save computation.
charettes
reviewed
Jun 12, 2023
| UserModel().set_password(password) | ||
| else: | ||
| if user.check_password(password) and self.user_can_authenticate(user): | ||
| if self.user_can_authenticate(user) and user.check_password(password): |
Member
There was a problem hiding this comment.
Looking at the line above I think the original order was intended to blur the lines in terms of timing difference and prevent attacks.
Basically no matter what input is provided hashing takes place, which is a slow operation, to make it hard to differentiate between
- A user that doesn't exist
- A user that can't authenticate
- A user with the wrong password
- A user with the right password
Contributor
Author
There was a problem hiding this comment.
I see.. thank you for explaining this!
krisward1
pushed a commit
to krisward1/django
that referenced
this pull request
Jun 13, 2023
… stuff for non-db connections.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Make
user_can_authenticatethe left operand andcheck_passwordthe right operand in if statement becauseuser_can_authenticatedoes no complex logic butcheck_passworddoes (like hashing the raw password). This can save computation in case ofuser_can_authenticatejust returnsFalse.