Django 'salts' passwords for added protection. They use SHA1 with a random key applied to further obfuscate the resulting hash. This is a good thing, but it threw me off for a bit. I don't want to send the unencrypted passwords over the wire, so I needed to grab the hash string from Django, break it apart, and reassemble it inside of flex. This did the trick:
private function onGetUsersComplete( re:ResultEvent ):void { var users:Array = re.result as Array; var userArray:Array = []; for ( var ii:int = 0; ii < users.length; ii++ ) { var user:UserVO = users[ii] as UserVO; userArray.push( user ); trace( users[ii].first_name ); } var isValidUser:Boolean = false; loginService.removeEventListener(ResultEvent.RESULT, onGetUsersComplete); for ( var i:int = 0; i < users.length; i++ ) { if ( users[i].username == this.username ) { currentUser = users[i] as UserVO; var salt:String = users[i].password.split('$')[1]; //django specific password scheme password = 'sha1$' + salt + '$' + SHA1.hash( salt + password ); loginService.verify_credentials( username, password ); loginService.addEventListener(ResultEvent.RESULT, onVerifyCredentialsResult, false, 0, true ); isValidUser = true; } } if ( !isValidUser ) { sendNotification( ApplicationFacade.LOGIN_FAILED, "Invalid Username" ) } }
