1 files changed, 77 insertions, 56 deletions

diff --git a/docs/quick_tutorial/authentication.rst b/docs/quick_tutorial/authentication.rst
index 4b4eb1ba3..cd038ea36 100644
--- a/docs/quick_tutorial/authentication.rst
+++ b/docs/quick_tutorial/authentication.rst
@@ -1,29 +1,30 @@
+.. _qtut_authentication:
+
 ==============================
-20: Logins With Authentication
+20: Logins with authentication
 ==============================
 
-Login views that authenticate a username/password against a list of
-users.
+Login views that authenticate a username and password against a list of users.
+
 
 Background
 ==========
 
-Most web applications have URLs that allow people to add/edit/delete
-content via a web browser. Time to add
-:ref:`security <security_chapter>`
-to the application. In this first step we introduce authentication.
-That is, logging in and logging out using Pyramid's rich facilities for
-pluggable user storages.
+Most web applications have URLs that allow people to add/edit/delete content
+via a web browser. Time to add :ref:`security <security_chapter>` to the
+application. In this first step we introduce authentication. That is, logging
+in and logging out, using Pyramid's rich facilities for pluggable user storage.
+
+In the next step we will introduce protection of resources with authorization
+security statements.
 
-In the next step we will introduce protection resources with
-authorization security statements.
 
 Objectives
 ==========
 
-- Introduce the Pyramid concepts of authentication
+- Introduce the Pyramid concepts of authentication.
 
-- Create login/logout views
+- Create login and logout views.
 
 Steps
 =====
@@ -32,26 +33,36 @@ Steps
 
    .. code-block:: bash
 
-    $ cd ..; cp -r view_classes authentication; cd authentication
-    $ $VENV/bin/python setup.py develop
+       cd ..; cp -r view_classes authentication; cd authentication
+
+#. Add ``bcrypt`` as a dependency in ``authentication/setup.py``:
+
+   .. literalinclude:: authentication/setup.py
+    :language: python
+    :emphasize-lines: 6
+    :linenos:
+
+#. We can now install our project in development mode:
+
+   .. code-block:: bash
+
+       $VENV/bin/pip install -e .
 
 #. Put the security hash in the ``authentication/development.ini``
-   configuration file as ``tutorial.secret`` instead of putting it in
-   the code:
+   configuration file as ``tutorial.secret`` instead of putting it in the code:
 
    .. literalinclude:: authentication/development.ini
     :language: ini
     :linenos:
 
-#. Get authentication (and for now, authorization policies) and login
-   route into the :term:`configurator` in
-   ``authentication/tutorial/__init__.py``:
+#. Get authentication (and for now, authorization policies) and login route
+   into the :term:`configurator` in ``authentication/tutorial/__init__.py``:
 
    .. literalinclude:: authentication/tutorial/__init__.py
     :linenos:
 
-#. Create a ``authentication/tutorial/security.py`` module that can find
-   our user information by providing an *authentication policy callback*:
+#. Create an ``authentication/tutorial/security.py`` module that can find our
+   user information by providing an *authentication policy callback*:
 
    .. literalinclude:: authentication/tutorial/security.py
     :linenos:
@@ -67,7 +78,7 @@ Steps
     :language: html
     :linenos:
 
-#. Provide a login/logout box in ``authentication/tutorial/home.pt``
+#. Provide a login/logout box in ``authentication/tutorial/home.pt``:
 
    .. literalinclude:: authentication/tutorial/home.pt
     :language: html
@@ -77,13 +88,13 @@ Steps
 
    .. code-block:: bash
 
-    $ $VENV/bin/pserve development.ini --reload
+       $VENV/bin/pserve development.ini --reload
 
 #. Open http://localhost:6543/ in a browser.
 
 #. Click the "Log In" link.
 
-#. Submit the login form with the username ``editor`` and the password 
+#. Submit the login form with the username ``editor`` and the password
    ``editor``.
 
 #. Note that the "Log In" link has changed to "Logout".
@@ -93,42 +104,52 @@ Steps
 Analysis
 ========
 
-Unlike many web frameworks, Pyramid includes a built-in (but optional)
-security model for authentication and authorization. This security
-system is intended to be flexible and support many needs. In this
-security model, authentication (who are you) and authorization (what
-are you allowed to do) are not just pluggable, but de-coupled. To learn
-one step at a time, we provide a system that identifies users and lets
-them log out.
-
-In this example we chose to use the bundled
-:ref:`AuthTktAuthenticationPolicy <authentication_module>`
-policy. We enabled it in our configuration and provided a
-ticket-signing secret in our INI file.
-
-Our view class grew a login view. When you reached it via a GET,
-it returned a login form. When reached via POST, it processed the
-username and password against the "groupfinder" callable that we
-registered in the configuration.
-
-In our template, we fetched the ``logged_in`` value from the view
-class. We use this to calculate the logged-in user,
-if any. In the template we can then choose to show a login link to
-anonymous visitors or a logout link to logged-in users.
-
-Extra Credit
+Unlike many web frameworks, Pyramid includes a built-in but optional security
+model for authentication and authorization. This security system is intended to
+be flexible and support many needs. In this security model, authentication (who
+are you) and authorization (what are you allowed to do) are not just pluggable,
+but decoupled. To learn one step at a time, we provide a system that identifies
+users and lets them log out.
+
+In this example we chose to use the bundled :ref:`AuthTktAuthenticationPolicy
+<authentication_module>` policy. We enabled it in our configuration and
+provided a ticket-signing secret in our INI file.
+
+Our view class grew a login view. When you reached it via a ``GET`` request, it
+returned a login form. When reached via ``POST``, it processed the submitted
+username and password against the "groupfinder" callable that we registered in
+the configuration.
+
+The function ``hash_password`` uses a one-way hashing algorithm with a salt on
+the user's password via ``bcrypt``, instead of storing the password in plain
+text. This is considered to be a "best practice" for security.
+
+.. note::
+    There are alternative libraries to ``bcrypt`` if it is an issue on your
+    system. Just make sure that the library uses an algorithm approved for
+    storing passwords securely.
+
+The function ``check_password`` will compare the two hashed values of the
+submitted password and the user's password stored in the database. If the
+hashed values are equivalent, then the user is authenticated, else
+authentication fails.
+
+In our template, we fetched the ``logged_in`` value from the view class. We use
+this to calculate the logged-in user, if any. In the template we can then
+choose to show a login link to anonymous visitors or a logout link to logged-in
+users.
+
+
+Extra credit
 ============
 
 #. What is the difference between a user and a principal?
 
 #. Can I use a database behind my ``groupfinder`` to look up principals?
 
-#. Do I have to put a ``renderer`` in my ``@forbidden_view_config``
-   decorator?
-
-#. Once I am logged in, does any user-centric information get jammed
-   onto each request? Use ``import pdb; pdb.set_trace()`` to answer
-   this.
+#. Once I am logged in, does any user-centric information get jammed onto each
+   request? Use ``import pdb; pdb.set_trace()`` to answer this.
 
 .. seealso:: See also :ref:`security_chapter`,
-   :ref:`AuthTktAuthenticationPolicy <authentication_module>`.
+   :ref:`AuthTktAuthenticationPolicy <authentication_module>`, `bcrypt
+   <https://pypi.org/project/bcrypt/>`_