Problem/Motivation

I tried to prepare users on my dev system giving them passwords, export them and deploy them to the target system. This did not work as intended. The export contains the hashed passwords alright, as is to be expected. But after import into the target system it was not possible to log in using the password I had chosen.

The hash value in the users table was not equal to the one in the export json file. I had a hunch as to what may have happened so I tried to log in giving the hash from the file as clear text password and the login succeeded. So importing a user will cause the string under "pass" to be sent through the hashing function another time instead of being used as-is.

Steps to reproduce

  • Create a user on the source system with a known password
  • Export the user
  • Import the user on the target system
  • Provide the clear text password. This will fail.
  • Try it with the value from the exported file. This will succeed.

Proposed resolution

Do not hash the already hashed password a second time when importing.

CommentFileSizeAuthor
#6 3240017.patch4.1 KBmkalkbrenner
#4 import-hashed-user-password-3240017-4.patch843 bytesbyrond
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

cspitzlay created an issue. See original summary.

cspitzlay’s picture

cspitzlay
Primary language German
Location 🇩🇪🇪🇺
CreditAttribution: cspitzlay at Jarltech Europe GmbH commented
Issue summary: View changes
cspitzlay’s picture

cspitzlay
Primary language German
Location 🇩🇪🇪🇺
CreditAttribution: cspitzlay at Jarltech Europe GmbH commented
Title: User passwords export / import broken » User password export / import broken
byrond’s picture

byrond CreditAttribution: byrond at Palantir.net commented
FileSize
import-hashed-user-password-3240017-4.patch843 bytes

We had the same issue and used the following patch to import the password directly into the database after saving the entity. The entity type condition should probably come first as a separate if() statement, and it would be better to use dependency injection for the database service, but this worked for our needs.

byrond’s picture

byrond CreditAttribution: byrond at Palantir.net commented
Status: Active » Needs review

I forgot to set this to "Needs review" (even though the patch likely needs work.

mkalkbrenner’s picture

mkalkbrenner
Primary language German
Location 🇩🇪
CreditAttribution: mkalkbrenner at Jarltech Europe GmbH commented
Version: 8.x-1.x-dev » 2.0.x-dev
FileSize
3240017.patch4.1 KB

@byrond thanks for your proposal. I just adjusted it a bit.

  • mkalkbrenner committed d0e31e2 on 2.0.x authored by byrond 
    Issue #3240017 by byrond, mkalkbrenner, cspitzlay: User password export...
mkalkbrenner’s picture

mkalkbrenner
Primary language German
Location 🇩🇪
CreditAttribution: mkalkbrenner at Jarltech Europe GmbH commented
Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

cspitzlay’s picture

cspitzlay
Primary language German
Location 🇩🇪🇪🇺
CreditAttribution: cspitzlay at Jarltech Europe GmbH commented

I successfully tested the fixed version by deploying a user. I've been able to log in with the correct clear text password.

Thanks!