use bcrypt's checkpw instead of ==

tornadoweb · Nov 29, 2019 · 0e6ec17 · 0e6ec17
1 parent 18d7026
commit 0e6ec17
Showing 1 changed file with 3 additions and 4 deletions.
diff --git a/demos/blog/blog.py b/demos/blog/blog.py
@@ -266,14 +266,13 @@ async def post(self):
         except NoResultError:
             self.render("login.html", error="email not found")
             return
-        hashed_password = await tornado.ioloop.IOLoop.current().run_in_executor(
+        password_equal = await tornado.ioloop.IOLoop.current().run_in_executor(
             None,
-            bcrypt.hashpw,
+            bcrypt.checkpw,
             tornado.escape.utf8(self.get_argument("password")),
             tornado.escape.utf8(author.hashed_password),
         )
-        hashed_password = tornado.escape.to_unicode(hashed_password)
-        if hashed_password == author.hashed_password:
+        if password_equal:
             self.set_secure_cookie("blogdemo_user", str(author.id))
             self.redirect(self.get_argument("next", "/"))
         else: