2

I am creating a sports app which allows users to create their own leagues and invite their friends to play. Ideally I would like to password protect the league. This is the table as it currently stands:

class StraightRedPersonalLeague(models.Model):
    seasonid = models.IntegerField(primary_key = True)
    personalleaguelongname = models.CharField(max_length=36)
    personalleagueshortname = models.CharField(max_length=24)
    leaguepassword = ????
    leagueispublic = models.NullBooleanField(null=True)
    soccerseason = models.ForeignKey('straightred.StraightredSeason', db_column='soccerseasonid', related_name='personalleague_seasonUserSelection')



    class Meta:
        managed = True
        db_table = 'straightred_personalleague'

I have had a search on stackoverflow and found the following:

How to create Password Field in Model django

The answer wasn't accepted but has had some upvotes. Is it safe to store the password as a charfield? If so I assume the forms.PasswordInput is the part that is doing all the "magic" regards security.

Any advice on this security issue would be appreciated.

Alan Tingey
  • 835
  • 11
  • 39

3 Answers3

4

TLDR

You shouldn't be bothering with this. You should be using django's very secure user authentication framework. The simplest way is

class StraightRedPersonalLeague(models.Model):
    seasonid = models.IntegerField(primary_key = True)
    personalleaguelongname = models.CharField(max_length=36)
    user = models.OneToOneField(User)
    leagueispublic = models.NullBooleanField(null=True)
    soccerseason = models.ForeignKey('straightred.StraightredSeason', db_column='soccerseasonid', related_name='personalleague_seasonUserSelection')



    class Meta:
        managed = True
        db_table = 'straightred_personalleague'

let django worry about securing passwords.

forms.PasswordInput

This has no magic, it basically maps to an HTML password field. forms.PassworodInput is only for user input and does not dictate how the password is actually stored in the DB.

Password storage field

The django.contrib.auth.models.User inherits from AbstractBaseUser and this is how the password field is defined in it:

password = models.CharField(_('password'), max_length=128)

But, (and it's big but), there is a lot of work that goes on behind the scenes to ensure that the password is securely hashed.

e4c5
  • 52,766
  • 11
  • 101
  • 134
  • Sorry for the slow reply. Do I put the "password = models.CharField(_('password'), max_length=128)" in my model? It is just that you don't have it in the class StraightRedPersonalLeague. – Alan Tingey Jun 13 '17 at 19:38
  • Oh, I think we may be talking cross purposes. This password is not for logging in. The user will let their friends know of their league via a link. They then have to enter the password they have been sent to join the league. – Alan Tingey Jun 13 '17 at 19:45
  • that makes your question totally unclear – e4c5 Jun 13 '17 at 23:43
  • The user login is unchanged, I just want user to be able to join a password protected league. – Alan Tingey Jun 14 '17 at 18:32
0

It is safe to store password as CharField but you have to hash it. You can check here how to hash password. Here is the official documentation about set_password() method.

Jan Giacomelli
  • 1,299
  • 11
  • 23
0

You'd better inherit it from AbstractUser wich already has all the password security instruments inside.

vZ10
  • 2,468
  • 2
  • 23
  • 33
  • I do not understand what you mean, could you elaborate? – Alan Tingey Jun 13 '17 at 19:47
  • Your StraightRedPersonalLeague is an entity which has one to one to User model, so you don't have to create one more password field. You can or use User password field, or extend User model with additional fields, like here https://docs.djangoproject.com/en/dev/topics/auth/customizing/#extending-the-existing-user-model – vZ10 Jun 14 '17 at 04:43
  • But it is not the users password. It is a completely separate password used to login. Hope that make sense? – Alan Tingey Jun 14 '17 at 19:14
  • It's one to one to user, so only that user can log in with that personal league. Why different passwords? – vZ10 Jun 14 '17 at 19:22
  • a user can create a league and invite friends to join. The league is a fantasy football league and whoever is invited will need to enter the password to join the league. – Alan Tingey Jun 14 '17 at 19:33
  • Only one league per user? – vZ10 Jun 15 '17 at 03:33
  • in any case you can inherit from AbstractUser because it has all the security features connected with passwords. And add all the fields you need. – vZ10 Jun 15 '17 at 03:36