更新登录逻辑，等待数据库进一步完善

accounts/views.py

@@ -1,6 +1,7 @@
 import base64
 import json
 import os
+import hmac
 
 from django.http import JsonResponse, HttpResponseBadRequest
 from django.shortcuts import render, redirect
@@ -8,7 +9,8 @@ from django.views.decorators.http import require_http_methods
 from django.views.decorators.csrf import csrf_protect
 from django.conf import settings
 
-from .es_client import get_user_by_username, _salt_for_username
+from .es_client import get_user_by_username
+from .crypto import salt_for_username, hmac_sha256
 
 
 @require_http_methods(["GET"])
@@ -30,7 +32,7 @@ def challenge(request):
 
     # Generate nonce and compute per-username salt
     nonce = os.urandom(16)
-    salt = _salt_for_username(username)
+    salt = salt_for_username(username)
 
     # Persist challenge in session to prevent replay with mismatched user
     request.session["challenge_nonce"] = base64.b64encode(nonce).decode("ascii")
@@ -71,10 +73,7 @@ def login_submit(request):
         nonce = base64.b64decode(nonce_b64)
         stored_derived_b64 = user.get("password", "")
         stored_derived = base64.b64decode(stored_derived_b64)
-        # HMAC-SHA256: server computes with stored derived secret
-        import hmac, hashlib
-        server_hmac = hmac.new(stored_derived, nonce, hashlib.sha256).digest()
-        server_hmac_b64 = base64.b64encode(server_hmac).decode("ascii")
+        server_hmac_b64 = base64.b64encode(hmac_sha256(stored_derived, nonce)).decode("ascii")
     except Exception:
         return HttpResponseBadRequest("Verification error")
 
@@ -89,7 +88,7 @@ def login_submit(request):
 
     request.session["user_id"] = user["user_id"]
     request.session["username"] = user["username"]
-    request.session["premission"] = user["premission"]
+    request.session["permission"] = user["permission"]
 
     # Clear challenge to prevent reuse
     for k in ("challenge_username", "challenge_nonce"):