2. PHPRunner General questions
  3. Custom password encryption support ==> change password
This topic is locked

Custom password encryption support ==> change password

 		8/2/2021 7:05:29 PM
PHPRunner General questions
T
 thomas.voelker author

when using a custom password encryption, password change does not work, because the password is validated against the database, which only holds the encrypted password.

protected function changePassword() {
// CSRF protection
if( !isPostRequest() )
return;

global $globalEvents;

$values = $this->getControlValues();

$dc = new DsCommand();
$dc->filter = $this->getUsernameCondition();
$qResult = $this->dataSource->getList( $dc );

$data = $qResult->fetchAssoc();
$row = $this->cipherer->DecryptFetchedArray( $data );

$dbOldPass = "";
if( !$row ) {
$this->message = mlang_message("INVALID_PASSWORD");
return false;
}

$dbOldPass = $row[ $this->passwordField ];
$username = $row[ $this->usernameField ];

if( !$this->token ) {
if( !Security::verifyPassword( $values["oldpass"], $dbOldPass ) ) {
$this->message = mlang_message("INVALID_PASSWORD");
return false;
}
}

$oldPass = $dbOldPass;

$newPass = $values["newpass"];
if( $this->pwdStrong && !checkpassword( $newPass ) ) {
$this->message = $this->getPwdStrongFailedMessage();
$this->jsSettings["tableSettings"][ $this->tName ]["msg_passwordError"] = $this->message;
return false;
}

$retval = true;
if( $globalEvents->exists("BeforeChangePassword") )
$retval = $globalEvents->BeforeChangePassword( $oldPass, $newPass, $this );

$values["newpass"] = $newPass;
if( $retval ) {
$dc = $this->getUpdateCommand( $values["newpass"] );
$this->dataSource->updateSingle( $dc, false );

if( $this->auditObj )
$this->auditObj->LogChPassword( $username );

if( $globalEvents->exists("AfterChangePassword") )
$globalEvents->AfterChangePassword( $oldPass, $values["newpass"], $this );
}

return $retval;
}

From my understanding the solution would be to omit the password verification what would require token to be set. How can this be done properly?
admin 8/2/2021

Implementing a custom password encryption would require multiple changes in source code to handle all password ecryption, change, validation, reset etc situation. This is definitely not something that we recommend or support.

What's wrong with using built-in password encryption that utilizes undustry-standard BCRYPT algorithm?

T
 		thomas.voelker author 8/3/2021

It is more an implementation of an authentication and autorization scheme which works on the database level.

We have a stored procedure that authenticates users and supplies them a time bombed access token which has to be supplied to stored procedures that return, change or add data.

That implements access checking in the database layer, as many conditions apply where users are not allowed to change some records, but are allowed to change other.

For user data I was able to implement this, but the problem is the password changing. I already had to break some part of the functionality by bypassing the stored procedure and creating a view to be used as users table, but the very point is that the password in that view is not the password of the user but data related to the access token.

To change the password I have to use a stored procedure which verifies the old password (SHA2-256 hashed) and is supplied the access token in addition and also does certain checks on the new password.

Usually I would do this using the before password change event - if it worked like the before login event where I could transform the password to a value that is then compared to the password value from the view.

If it was an option to access the auth table directly I would do this. But unfortunately it is not.

I understand from your reply that there is no sufficient way to do this within the functionality PHPRunner provides and that if that functionality is needed I have to change the exported PHP files. Please let me know if that is not correct.
admin 8/3/2021

I confiirm that this kind of scenario would require changes either in source or in generated PHP files.