Unable to Retrieve Admin Password Hash in Custom Flask Login API

Support Developer
1

So my journey with flask tryton is not over.

I’m developing a custom Flask API that integrates with Tryton for authentication. However, I’m running into an issue where I’m unable to retrieve the password hash for the admin user. Although I know that the admin’s password hash is correctly stored in the database, my API always returns None for the password hash field.

Here’s a brief summary of what I’ve done so far:

  1. I updated the transaction context to include sensitive fields using:
Transaction().context.update({'with_password': True, 'with_password_hash': True})
  1. I performed a search for the admin user and then used User.read() to fetch the fields.
  2. I also tried reading all fields (using an empty field list) to inspect what is being returned.

Despite these efforts, the password hash remains None in my API output.

Below is a simplified version of my login API code:

@app.route("/database/login", methods=['POST'])
@tryton.transaction()
def login_api():
    try:
        data = request.get_json()
        username = data.get('username')
        password = data.get('password')

        User = Pool().get('res.user')
       Transaction().context.update({'with_password': True, 'with_password_hash': True})

        user_ids = User.search([('login', '=', username)], offset=0, limit=1, order=())
        if not user_ids:
            return jsonify({"error": "User not found"}), 404

        user_data = User.read(user_ids, [])
        print("User Data:", user_data)

        pwd_hash = user_data[0].get('password_hash') or user_data[0].get('password')
        if not pwd_hash:
            return jsonify({"error": "User has no password set"}), 500

        # ... (password verification and session creation) ...

    except Exception as e:
        return jsonify({"error": str(e)}), 500

My question is: How can I return the password hash for the user? Is there a specific context flag or a different approach to ensure that sensitive fields like password_hash (or password) are included when reading user records?

2

This is on purpose, we do not expose password hash.

If you want to perform a login, you may use the get_login method.
But I would not advise managing login with an external application. It is probably better to use Web User Module or to use user application.

3

Wait, I kind of get it, but I still don’t understand. Should I use the web user module and the user application together to create login sessions, or should I use only one of them? And what about the Flask app I created for UI integration on vue—can I use the user application along with Flask?

4

The web user module is used when you want to autenticate a external party (for example a customer that wants to see their invoices in a portal).

The user application is used when you want to autenticate a user of the system using a token that authories any request. The user must enter tryton to accept this token and latter can use the flask application.

5

So its working like login session too?
I want to make a login and register for my frontend vue, but i need backend that would suffice both of this.

6

You can use plain logging session in backend if you want also.
But if you want to support self registration probably you want to use the web_user module.

7

plain logging session?