Comment 1 for bug 867459

I'm actually going to close this as Fix Committed. Here's what you can do; if this is insufficient, please reopen this bug (although it may indeed get postponed until after 3.0).

Let's say you're Postorius and someone has just typed their email address and password. You GET this resource:

http://localhost:<email address hidden>

Dig out the `password` attribute in the json. Now, you are armed with the encoded-hashed password of the user, and the cleartext password they typed into the form. You then use this Python code to do the verification:

from flufl.password import verify
if verify(json_password, typed_password):
    # The user successfully logged in.

See http://packages.python.org/flufl.password/docs/using.html#verifying-a-password for details.