[Moin-user] Performing custom authentication against a database table

Alex Willmer alex at moreati.org.uk
Wed Apr 18 12:20:33 EDT 2007 

I'm trying to have MoinMoin authenticate users authenticate users against a
table in postgresql. So far I've written a dbtable() function (based on the
distributed LDAP()) and added to wikiconfig.py as:
    auth = [dbtable, moin_cookie] 

However the custom authentication is not working, moinmoin reports the username
as not found, although moin_cookie auth continues to work.

I have a couple of questions:
1. Where does request.log() log to?
2. Is there anything glaringly wrong with my code? Am I right to return user_obj
rather than the created User object?

Regards & thanks.
Alex Willmer

def unpack_kw(kw):
    """Return name, password, login, user_obj from kw dictionary."""
    return (kw.get('name'), kw.get('password'), 
            kw.get('login'), kw.get('logout'), kw.get('user_obj'))


def dbtable(request, **kw):
    """Get authentication from form, authenticate via table in database
    User profile must be handled e.g. by cookie
    """
    username, password, login, logout, user_obj = unpack_kw(kw)
    cfg = request.cfg
    dbmod = cfg.auth_dbtable_module
    dbdsn = cfg.auth_dbtable_dsn
    tabname = cfg.auth_dbtable_tablename
    usercol = cfg.auth_dbtable_usercolumn
    passcol = cfg.auth_dbtable_passcolumn
    verbose = cfg.auth_dbtable_verbose

    if verbose: request.log('auth_dbtable: name=%s login=%s logout=%s' %
                            (username, login, logout))
    if not login and not logout: return user_obj, True

    import md5
    import sha
    import sys
    import traceback
    import psycopg2 as dbapi2 # TODO AW Honour auth_dbtable_module
    from MoinMoin import auth, user
    
    try:
        algos = {'md5':md5, 'sha1':sha}
        if verbose: request.log('auth_dbtable: Connecting to database')
        conn = dbapi2.connection(dsn=dsn)
        curs = conn.cursor()
        q = """SELECT %s FROM %s WHERE %s = %%(username)s""" % \
            (passcol, tabname, usercol)
        if verbose: request.log('auth_dbtable: Querying table %s' % (tabname))
        curs.execute(q, {'username': username})
        shib = curs.fetchone()[0]
        curs.close()
        conn.close()

        if verbose: request.log('auth_dbtable: Testing user %s' % (username))
        pwalgo, pwsalt, pwhash = shib.split('$')
        hashfunc = algos[pwalgo]
        challenge = hashfunc.new(pwsalt+password).hexdigest()
        if challenge == pwhash:
            if verbose: 
                request.log('auth_dbtable: Logged in user %s' % (username))
            u = user.User(request, auth_username=username, password=password,
                          name=username,
                          auth_method='dbtable',
                          auth_attribs=('name', 'auth_username', 'password',))
            u.create_or_update(True)
        else:
            if verbose:
                request.log('auth_dbtable: User %s login failed' % (username))
            u = None
    except:
        info = sys.exc_info()
        request.log("auth_dbtable: caught an exception, traceback follows:")
        request.log(''.join(traceback.format_exception(*info)))

    return (user_obj, True)

More information about the Moin-user mailing list