[MUSIC]

If you did build a social network with Flask,

you probably remember how we hashed our users passwords with bcrypt.

bcrypt is still an amazing hashing Library.

But its main protection,

the fact that it can be configured to use progressively more processor time,

has kind of been surpassed by the creation of faster and better GPU's.

This advance in hardware means that our software has been given a best by date.

Thankfully some for development doesn't just sit on its laurels and new

hashing libraries and techniques have been created that stress processors and memory.

No matter how much processor power you have,

eventually you will run out of memory.

Let's go see about building users with argon2 hashed passwords.

Before I can use the argon2 library to hash passwords.

I have to install it.

So for python, I'm just gonna pip install aargon2-cffi.

There are argon2 packages for lots of other languages.

And whenever you're installing this, you might find that you are missing ffi, so

you'll just need to lookup how to install that for

whatever your operating system is.

I've put a link to the argon2 docs in the teacher's notes, so

be sure to check there if there's something you wanna know more about.

I've also included a blog post from a friend of mine named Hinnick,

about why to use something like argon2, instead of bcrypt or whatever.

Okay, so I've got argon2 installed.

I think it's time to make a user model.

Let's make a new model up here.

And I'm gonna make it above these others, so that I can do foreign keys to them.

You know what, actually before, let's do a couple of other things here real quick.

So we need to do from argon2 import PasswordHasher.

And then I have these config things here,

I think I wanna move those into a new file.

So let's make a new file.

And we're gonna call this config.py.

And we'll take these things and cut them.

And then we will paste them into here.

And then let's get rid of that line, and let's just say import config.

And then down here,

I'll add this as config., config.

and config.

Cool.

So, I can save that.

And I wanna add one more item in here.

I want to add a secret_key.

And then you're just going to add a bunch of random characters to your secret key.

Just make it all fancy.

And then from here of course I want to do import config.

Now you might consider moving the database out to there as well just for kind of

putting everything together, but I'm not gonna worry about that for right now.

Okay, so let's add a HASHER in here which will be the PasswordHasher.

Okay, so let's make this user model.

All right, so users should have a username.

And that'll be a char field and I want that to be unique because I don't wanna

have more than one user with the same username, of course.

And then I'm gonna do a char field for the email address.

And I'm also gonna make that unique because again

I don't want more than one user to have the same stuff.

And then let's do password is equal to a CharField.

And I'm not gonna set any requirements on that.

So class meta database = database.

All right and then I want to provide a method for

creating a user and this should be

a class method because I need to work on the class and not on an instance.

So we're gonna accept the class.

And we're gonna take the username.

And we're gonna take the email.

And we're gonna take the password.

And we're gonna take any other cards that happen to come in.

Right now we don't care about them but who knows,

maybe in the future we want to allow their arguments.

All right. So first of all,

let's lowercase this email.

And then let's do cls.select

.where, we need two things here.

So, csl.email is equal to e-mail that was passed in.

Or cls.username is like,

case insensitive, is like username.

And then do a .get on that.

And then, if we get a cls.DoesNotExist error.

Then, that's good.

That means that the user doesn't exist.

So, we'll do An email=email.

And then I’m gonna do user.password = user.set password.

And provide the password.

User.save and return user.

Else, let's raise an exception.

And let's say user with that email or username already exists.

All right, cool.

So now, I need to produce this set password method.

So this is gonna be a static method.

Because again I don't want it to operate on an instance.

But I don't even want it to operate on the class.

I want it to just be this method that happens to belong to the user class.

But it doesn't care anything at all about the class,

which is why I say static method.

So we're gonna set the password, and we're gonna put in the password.

And we're gonna return HASHER.hash(password).

Cool, and then let's make a verify_password.

And this is actually going to take an instance.

This is just a normal everyday method nothing.

Nothing special about this one.

And we're gonna return HASHER.verify,

that self.password matches password.

And so argon2 is kind of cool because it actually throws an exception if

the passwords don't match.

So if this step was to fail it would throw an exception.

Because argon2 doesn't have any concept of not matching or an invalid password.

It just know these two things don't match.

Ideally you get the idea of how that works.

There's nothing really different about this.

One thing I will point out is that we don't actually need this.

In workspaces because we're using SQLite.

SQLite is really horrible with case sensitive searching.

So SQLite will work fine without that.

You do wanna have this for all the other databases, MySQL, Postres,

things like that.

I think we're good there and I'm going to go and make a user resource off camera.

I want you to try and make one on your own.

All it needs to have is a user list with a post that will create a new user.

That's all you have to make.

Go ahead and register it with the app and everything.

We'll check that out in the next video.

One thing that's really smart to do and Django does it Is if you want an example

is to create a way to upgrade password hashing.

You don't want to store the actual passwords but

when you use a new hasher to create an upgrade path,

that will change your users old hash to the new one the next time they will login.

You'll have a more secure application and

they'll appreciate not getting any we've been hacked e-mails.