Problem/Motivation
I tried to prepare users on my dev system giving them passwords, export them and deploy them to the target system. This did not work as intended. The export contains the hashed passwords alright, as is to be expected. But after import into the target system it was not possible to log in using the password I had chosen.
The hash value in the users table was not equal to the one in the export json file. I had a hunch as to what may have happened so I tried to log in giving the hash from the file as clear text password and the login succeeded. So importing a user will cause the string under "pass" to be sent through the hashing function another time instead of being used as-is.
Steps to reproduce
- Create a user on the source system with a known password
- Export the user
- Import the user on the target system
- Provide the clear text password. This will fail.
- Try it with the value from the exported file. This will succeed.
Proposed resolution
Do not hash the already hashed password a second time when importing.
Comment | File | Size | Author |
---|---|---|---|
#6 | 3240017.patch | 4.1 KB | mkalkbrenner |
#4 | import-hashed-user-password-3240017-4.patch | 843 bytes | byrond |
Comments
Comment #2
cspitzlayComment #3
cspitzlayComment #4
byrond CreditAttribution: byrond at Palantir.net commentedWe had the same issue and used the following patch to import the password directly into the database after saving the entity. The entity type condition should probably come first as a separate if() statement, and it would be better to use dependency injection for the database service, but this worked for our needs.
Comment #5
byrond CreditAttribution: byrond at Palantir.net commentedI forgot to set this to "Needs review" (even though the patch likely needs work.
Comment #6
mkalkbrenner@byrond thanks for your proposal. I just adjusted it a bit.
Comment #8
mkalkbrennerComment #10
cspitzlayI successfully tested the fixed version by deploying a user. I've been able to log in with the correct clear text password.
Thanks!