Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Need help implementing a different password handling into Vanilla

edited November 2006 in Vanilla 1.0 Help
Hi experts!! I have a task to do: integrating the nice Vanilla into an existing structure for testing purposes. As the site has its own user management, it should be an easy task (and most of the things work from scratch). The big problem is the usage of passwords in the given user management: it uses "salt" added to the password hashs. As easy it is to copy all user information into LUM_User... as hard it is for me to find the right place, where i could manipulate Vanilla, that it uses the same structure for creating and validating the same password structure (I got a little lost, while walking through the framework). The existing functions are pretty easy: function validate_password($plain, $encrypted) { if (tep_not_null($plain) && tep_not_null($encrypted)) { // split apart the hash / salt $stack = explode(':', $encrypted); if (sizeof($stack) != 2) return false; if (md5($stack[1] . $plain) == $stack[0]) { return true; } } return false; } function encrypt_password($plain) { $password = ''; for ($i=0; $i<10; $i++) { $password .= tep_rand(); } $salt = substr(md5($password), 0, 2); $password = md5($salt . $plain) . ':' . $salt; return $password; } As you can easily see, the hashes and the "salt" is stored like "86009c99b15779ddc661d74fa8f0ac58:e6" in the DB (some bytes longer, which is not the point). So, if anyone could help me finding the right place to implement this existing structure... it would be much appreciated!! Thanx in advance!

Comments

  • MarkMark Vanilla Staff
    edited August 2006
    You don't have to move your users into the vanilla table.

    You can keep your users in the existing table and make Vanilla use *that* table instead. Just make sure that all of the vanilla fields exist in your other table. You can rename and remap them using the database structure in appg/database.php (copy that structure into conf/database.php to customize).

    Once that is finished and Vanilla now maps to your user table, you can create a new authenticator class for Vanilla to use. Copy the existing library/People/People.Class.Authenticator.php file, rename it to library/People/People.Class.MyAuthenticator.php, and then alter it as needed. It might sound tough, but it's really not. All the Vanilla authenticator does is grabs cookie or session values and returns the Vanilla UserID based on those values. So, if your system's sessions contain the userid, there's almost no work involved. You just grab it and return it. If your system's session don't contain the UserID, then there might be some more work querying the database to get it.

    The final step is to make Vanilla use your authenticator instead of the standard one. To do that you just specify the name of the authenticator to use in your conf/settings.php file like this:

    $Configuration["AUTHENTICATION_MODULE"] = "People/People.Class.MyAuthenticator.php";
  • hi Mark, When I copy database.php to my conf folder, should I delete any corresponding values (that I've changed) in the original appg/database.php, or delete the database.php in appg altogether? thanks, jon
  • Your conf folder contents will override the settings in the appg folder so what you do with repeated values really isnt an issue. Next time you upgrade vanilla it'l all be overwritten anyway :)
  • MarkMark Vanilla Staff
    Well, your conf folder won't be overwritten, but appg will.
  • Yeah that's what i meant. Sorry.
  • edited August 2006
    Hi Mark! Thanx for your advice on how to implement library/People/People.Class.MyAuthenticator.php. I sneaked a little bit around in your sqlbuilder class and tried to understand how things work - but I'm not sure if I'm on the right way. The "class Authenticator"s function "Authenticate" in the original People.Class.Authenticator.php uses the instruction "$s->AddWhere('u', 'Password', '', $Password, '=', 'and', 'md5', 1, 1);" As I don't see any other chance then modifying this instruction to let the framework construct the correct SQL for that case, I only wanted to ask, if this instruction would a) run and b) does the same, what the function "validate_password" from my 1st posting does. It looks a little bit wierd: "$s->AddWhere('u', 'SUBSTRING(Password, LOCATE(':', Password) -1)', '', 'CONCAT(SUBSTRING(Password FROM (LOCATE(':', Password) +1)),' . $Password . ')', '=', 'and', 'md5', 1, 1);" Do you think, that this could lead to my goal... or is there a more elegant way I didn't see..? Thanx in advance for another advice...
  • MarkMark Vanilla Staff
    I don't really know what you're trying to do there. The SqlBuilder is only meant for the most basic syntax. Anything beyond that, and you might as well just construct your sql as a string and do something more like:

    $sql = 'select whatever from wherever'; $Result = $this->Context->Database->Execute($sql, 'Authenticator', 'ValidatePassword', 'An error occurred while attempting to validate your password');
  • *rofl* Cmon, thats too easy! I thought I'll get a nobel price for pressing every damn sql instruction into that line, then push it over to the fabulous Sqlbuilder and finally debug the output til I'm completely gone mad... Thanx for anything! (And your great work on Vanilla... btw)
  • MarkMark Vanilla Staff
    :D
  • edited November 2006
    Mark, I just wanted to thank you for making that so easy! We're converting from vB3.5 to Vanilla now, and I was dreading the password differences. But I just made it so single-hashed passwords (md5(password)), vb passwords (md5(md5(password).salt)) and un-hashed passwords work in 5 minutes. Thank you for Vanilla! A developers dream! e: Sorry to bump such an old thread.
This discussion has been closed.