Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

WP and VF users have different passwords

Hi all,
I successfully connected Wordpress and VanillaForum with SSO, so far so good.
But now I have a major issue and try to explain.
Both WP and VF users tableas are filled with almost the same users but they have different passwords and the real user doesn't know which password have in VF.
So, when an user that doesn't exist on VF's users table, arriving from WP, he is added to VF, automatically logged and all works fine. Great!

If an user come from WP and that user exists on VF's users table AND his password coincide, the user is automatically logged in VF, all is fine. Great!

BUT, if an user come from WP and his password IS DIFFERENT from VF's one, the JSconnect offer to login with the user recognized as WP user, printing a link "USERNAME Sign in with PROVIDER", clicking on this, it drives toward VF login form where it recognize the username and ask for the password.
BUT the password is VF's one and my user doesn't knows it, so it's impossible to log in VF.

What I would like to do.

In class.jsconnect.plugin.php file at row #86, there is the string " $ConnectLabel = '

'.sprintf(T('Sign in with %s'), $Provider['Name']).'

';" that creates the offer to connect with the source account.

I would like that, in this point, istead to show the link, put a function that completely updates the VF's user data with WP's ones.
In this way, it only happens once that those data are replaced and pairing with WP/VF.

Unfortunately I'm not skilled in JS so I ask for a hand.

Also, as I don't think that I'm the only one in this situation, so I believe that in JSCONNECT plugin, should be added an option like "Want replace VF data with WP ones?"

VF 2.2.1 and Vanilla jsConnect 1.5.3

Thanks in advance to everyone that will answer.

Marco

Comments

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    This is the expected behavior , the same happens if they log in using Facebook . The way to fix it, is to have them change their vanilla password . If they are using the same name or email , the same password should work. The fact that you get a vanilla sign in form when you are not logged into WP is a reminder You aré not conected elsewhere and must sign in to the forum .

  • Hi vrijvlinder,
    and thanks to answer.
    I know that this is the behavior but I said that my users cannot change the password and don't know which password is.
    For this I want to replace automatically the VF password with WP one (or all users data).

    Perhaps, do you know which is the function that creates the new user in VF's JSconnect bridge? this could help a lot.
    Thanks in advance

    Marco

  • LincLinc Detroit Admin
    edited October 2016

    You want to enable AutoConnect in Vanilla so they aren't prompted for their Vanilla password and it auto-maps them to any existing forum account using the same email address. This presumes you TRUST your WordPress logins are accurate with verified email addresses.

    Set this in your Vanilla config:

    $Configuration['Garden']['Registration']['AutoConnect'] = true;

  • MacitalyMacitaly New
    edited October 2016

    Thanks Linc, I'll try it immediately.
    And yes, I trust on accuracy of my users but, what I would like to know if this way changes VF password or not.
    Thanks a lot

    Marco

  • LincLinc Detroit Admin

    No, this will not effect the Vanilla password. We use a different hashing method than WordPress, I think. There's no way for us to securely transport the password between systems, and there's no good reason to do it.

  • LincLinc Detroit Admin

    To force everyone to only use WordPress, you can use the "Connect" registration method in Vanilla. If your jsConnect connection is set to be your default registration method (there's a checkbox on the individual connection's settings page) then this will forward all your login & registration links to point at WordPress.

  • Hi Linc,
    the autoconnect works just fine, I hidden the welcome box so no other way to log in or sign on from Vanilla and this is enough for me, so far, I need to open this forum asap.
    About password, yes, WP uses md5 and VF SHA1 I think but this isn't a problem when a WP user that enter in VF first time, VF creates a new user with WP data and they fits, after.
    So, my question was: how to replace VF data with WP ones?

    Anyway, all works fine now and I can finally start to work on VF.
    Really thanks a lot for this help.
    Kind Regards,

    Marco

  • LincLinc Detroit Admin
    edited October 2016

    @Macitaly said:
    So, my question was: how to replace VF data with WP ones?

    It's not safe for plugins to do this, and it shouldn't be done.

    Glad it's working now. :chuffed:

  • x00x00 MVP
    edited October 2016

    vanilla password hashes used to be mutually compatible. However I don't think wordpress is using the blowfish/crypt form of phppass currently used by Vanilla.

    However wordpress to vanilla will still work, not genrally the other way round as vanilla will try to upgrade to the strongest hash.

    This is advanced information anyway.

    grep is your friend.

  • Thanks to both of you.
    When a new user (new for VF user tble) coming from WP, enter in VF via SSO, Vanilla keeps WP's data to create a new VF user, that, after this, it fits perfectly with WP's user and it recognize him immediately next time that the user come, am I right? I think yes.
    And there is a function that does this operation, of course.
    So what I ask myself is this: why I cannot clone and modify that function, to not create new user but update an existing one? and recall the function as soon as VF see that the user already exists (but passwords don't fit)?
    All what need is already there, need only to copy and alter a function.
    Why this beavior isn't safe, if it's the same that VF uses to create new users?
    Not automatically, but an option in JSConnect plugin.

    Anyway, now the forum works and this is only to understand. no need to answer if think is useless.
    Thanks anyway for great support

    Marco

  • LincLinc Detroit Admin
    edited October 2016

    @Macitaly said:
    When a new user (new for VF user tble) coming from WP, enter in VF via SSO, Vanilla keeps WP's data to create a new VF user, that, after this, it fits perfectly with WP's user and it recognize him immediately next time that the user come, am I right? I think yes.
    And there is a function that does this operation, of course.

    It's mapping the UniqueID from WordPress to the UserID in Vanilla so that subsequent logins flow thru seamlessly. This is also what happens the first time a user connects to an existing account.

    A dummy password is set in Vanilla and plays no part in this. We never use the password to authenticate the user during SSO unless they already have a Vanilla account with the same email AND you haven't configured SSO to auto-connect.

    @Macitaly said:
    All what need is already there, need only to copy and alter a function.
    Why this beavior isn't safe, if it's the same that VF uses to create new users?

    It's not the same. No SSO - as in, none in the entire world I've ever heard of - transmits a password between systems.

  • Hi Linc,
    ok now it's more clear, thanks for explaination.
    Have a great day

    Marco

Sign In or Register to comment.