The fact that encrypt_password()
generates a new value is by design. The fact that verify_password()
fails is not. It's an already reported bug in Flask-Security.
When you use the login view, a different method, verify_and_update_password()
is used instead, which doesn't suffer from the same problem.
The fix is not yet part of a new release. You can fix this issue yourself by applying the change from PR #223; it replaces the verify_password()
function in the flask_security/utils.py
file with:
def verify_password(password, password_hash):
"""Returns ``True`` if the password matches the supplied hash.
:param password: A plaintext password to verify
:param password_hash: The expected hash value of the password (usually form your database)
"""
if _security.password_hash != 'plaintext':
password = get_hmac(password)
return _pwd_context.verify(password, password_hash)
e.g. first hash the password with HMAC+SHA512 before verifying it against the hash, just as the original encrypt_password()
does, and not apply encrypt_password()
as the current released version does.