werkzeug.security

Function	`check_password_hash`	Check a password against a given salted and hashed password value. In order to support unsalted legacy passwords this method supports plain text passwords, md5 and sha1 hashes (both salted and unsalted).
Function	`gen_salt`	Generate a random string of SALT_CHARS with specified `length`.
Function	`generate_password_hash`	Hash a password with the given method and salt with a string of the given length. The format of the string returned includes the method that was used so that `check_password_hash` can check the hash.
Function	`pbkdf2_bin`	No summary
Function	`pbkdf2_hex`	Like `pbkdf2_bin`, but returns a hex-encoded string.
Function	`safe_join`	Safely join zero or more untrusted path components to a base directory to avoid escaping the base directory.
Function	`safe_str_cmp`	This function compares strings in somewhat constant time. This requires that the length of at least one string is known in advance.
Constant	`DEFAULT_PBKDF2_ITERATIONS`	Undocumented
Constant	`SALT_CHARS`	Undocumented
Function	`_hash_internal`	Internal password hash helper. Supports plaintext without salt, unsalted and salted passwords. In case salted passwords are used hmac is used.
Variable	`_os_alt_seps`	Undocumented

def check_password_hash(pwhash, password):

Check a password against a given salted and hashed password value. In order to support unsalted legacy passwords this method supports plain text passwords, md5 and sha1 hashes (both salted and unsalted).

Returns True if the password matched, False otherwise.

Parameters
pwhash:`str`	a hashed string like returned by `generate_password_hash`.
password:`str`	the plaintext password to compare against the hash.
Returns
`bool`	Undocumented

def gen_salt(length):

Generate a random string of SALT_CHARS with specified length.

Parameters
length:`int`	Undocumented
Returns
`str`	Undocumented

def generate_password_hash(password, method='pbkdf2:sha256', salt_length=16):

Hash a password with the given method and salt with a string of the given length. The format of the string returned includes the method that was used so that check_password_hash can check the hash.

The format for the hashed string looks like this:

method$salt$hash

This method can not generate unsalted passwords but it is possible to set param method='plain' in order to enforce plaintext passwords. If a salt is used, hmac is used internally to salt the password.

If PBKDF2 is wanted it can be enabled by setting the method to pbkdf2:method:iterations where iterations is optional:

pbkdf2:sha256:80000$salt$hash
pbkdf2:sha256$salt$hash

Parameters
password:`str`	the password to hash.
method:`str`	the hash method to use (one that hashlib supports). Can optionally be in the format `pbkdf2:method:iterations` to enable PBKDF2.
salt_length:`int`	the length of the salt in letters.
Returns
`str`	Undocumented

def pbkdf2_bin(data, salt, iterations=DEFAULT_PBKDF2_ITERATIONS, keylen=None, hashfunc=None):

Returns a binary digest for the PBKDF2 hash algorithm of data with the given salt. It iterates iterations times and produces a key of keylen bytes. By default, SHA-256 is used as hash function; a different hashlib hashfunc can be provided.

Deprecated since version 2.0: Will be removed in Werkzeug 2.1. Use hashlib.pbkdf2_hmac instead.

New in version 0.9.

Parameters
data:`t.Union[str, bytes]`	the data to derive.
salt:`t.Union[str, bytes]`	the salt for the derivation.
iterations:`int`	the number of iterations.
keylen:`t.Optional[int]`	the length of the resulting key. If not provided the digest size will be used.
hashfunc:`t.Optional[t.Union[str, t.Callable]]`	the hash function to use. This can either be the string name of a known hash function or a function from the hashlib module. Defaults to sha256.
Returns
`bytes`	Undocumented

def pbkdf2_hex(data, salt, iterations=DEFAULT_PBKDF2_ITERATIONS, keylen=None, hashfunc=None):

Like pbkdf2_bin, but returns a hex-encoded string.

Deprecated since version 2.0: Will be removed in Werkzeug 2.1. Use hashlib.pbkdf2_hmac instead.

New in version 0.9.

Parameters
data:`t.Union[str, bytes]`	the data to derive.
salt:`t.Union[str, bytes]`	the salt for the derivation.
iterations:`int`	the number of iterations.
keylen:`t.Optional[int]`	the length of the resulting key. If not provided, the digest size will be used.
hashfunc:`t.Optional[t.Union[str, t.Callable]]`	the hash function to use. This can either be the string name of a known hash function, or a function from the hashlib module. Defaults to sha256.
Returns
`str`	Undocumented

def safe_join(directory, *pathnames):

Safely join zero or more untrusted path components to a base directory to avoid escaping the base directory.

Parameters
directory:`str`	The trusted base directory.
*pathnames:`str`	The untrusted path components relative to the base directory.
Returns
`t.Optional[str]`	A safe path, otherwise `None`.

def safe_str_cmp(a, b):

This function compares strings in somewhat constant time. This requires that the length of at least one string is known in advance.

Returns True if the two strings are equal, or False if they are not.

Deprecated since version 2.0: Will be removed in Werkzeug 2.1. Use hmac.compare_digest instead.

New in version 0.7.

Parameters
a:`str`	Undocumented
b:`str`	Undocumented
Returns
`bool`	Undocumented

DEFAULT_PBKDF2_ITERATIONS: int =

Undocumented

Value

SALT_CHARS: str =

Undocumented

Value

'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'

def _hash_internal(method, salt, password):

Internal password hash helper. Supports plaintext without salt, unsalted and salted passwords. In case salted passwords are used hmac is used.

Parameters
method:`str`	Undocumented
salt:`str`	Undocumented
password:`str`	Undocumented
Returns
`t.Tuple[str, str]`	Undocumented

_os_alt_seps: t.List[str] =

Undocumented