HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Authentication plugins and database fields (HashMethod, Password)
ddumont
✭✭
@Todd
Taking a stroll through my user table today I see that everyone has a pw hash set, even those who've logged in via a connector plugin like google/fb/twitter/etc.
Sometimes the hashmethod is NULL, sometimes Random... sometimes Vanilla.
I'm assuming that Vanilla hash methods are native forum logins.
Do you think it would be possible then to key off of this difference and change the behavior of the 'change password' action in the user profile to either be 'set password' or not require the old password if the user has used a plugin to log into the forum?
I assume you would just check for HashMethod != 'Vanilla'...
Would you welcome a patch for this for .18 gold? I'm trying to figure out a good user auth story for my app integration to my forum and this looks like it might do fine as long as users can go set a password if they don't already have one.
The current workaround means they will have to request a pw reset, which kinda makes the instructions a bit more complicated than they should be.
Taking a stroll through my user table today I see that everyone has a pw hash set, even those who've logged in via a connector plugin like google/fb/twitter/etc.
Sometimes the hashmethod is NULL, sometimes Random... sometimes Vanilla.
I'm assuming that Vanilla hash methods are native forum logins.
Do you think it would be possible then to key off of this difference and change the behavior of the 'change password' action in the user profile to either be 'set password' or not require the old password if the user has used a plugin to log into the forum?
I assume you would just check for HashMethod != 'Vanilla'...
Would you welcome a patch for this for .18 gold? I'm trying to figure out a good user auth story for my app integration to my forum and this looks like it might do fine as long as users can go set a password if they don't already have one.
The current workaround means they will have to request a pw reset, which kinda makes the instructions a bit more complicated than they should be.
There was an error rendering this rich post.
Tagged:
0
Best Answer
-
Todd Vanilla StaffI'd love a patch for this. The password stuff is a little messy wrt connect. I think what needs to happen is for connect passwords to be set to "Random" and have that be the criteria for not requiring a password on reset.
For your information, I think both hash methods of blank and vanilla get hashed by our algorithm. There are also other types of hashes based on other forum imports: vBulletin, phpBB, and django.0
Answers
For your information, I think both hash methods of blank and vanilla get hashed by our algorithm. There are also other types of hashes based on other forum imports: vBulletin, phpBB, and django.
It's fairly straight forward... but I didn't get to thoroughly test it because I haven't upgraded to .18 beta yet... I'll be doing that when you release beta 3
There was an error rendering this rich post.
Let me know if you would like me to change anything. I'd like to see this in before beta 3 comes out (if you have the time, that is).
There was an error rendering this rich post.