Page 1 of 1

Implement editing hash password field with custom algo/salt?

PostPosted: Wed Oct 05, 2011 12:00 am
by FractalizeR
Hello.

I have a table in my database with a list of users. They are users of my own application, this table doesn't have any relation to Xataface authorization. It's structure is like

Code: Select all
CREATE TABLE IF NOT EXISTS `user` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `email` char(50) CHARACTER SET latin1 NOT NULL,
  `password_hash` binary(20) NOT NULL,
  `password_salt` char(5) NOT NULL
)


Password is defined like
Code: Select all
$password = RandomPasswordGenerator::generate(PasswordGenerator::ALLOWED_CHARS_LATIN_ALPHA_NUMERIC, 12);

$insertDb['password_salt'] = RandomPasswordGenerator::generate(PasswordGenerator::ALLOWED_CHARS_LATIN_ALPHA_NUMERIC, 5);
$insertDb['password_hash'] = sha1(sha1($password, true) . $insertDb['password_salt'], true);


So, password field value depends on salt value. How do I implement UI for admin with Xataface to allow administrator to change password for a given user?

I tried to look at field__serialize example on forum, but it seems, it doesn't allow you to access values of fields, other than the one being serialized in the handler.

I'm new to Xataface, but already inspired by it's capabilities :) Can you help me?

Re: Implement editing hash password field with custom algo/salt?

PostPosted: Wed Oct 05, 2011 9:26 am
by shannah
PHPBB does something similar. See this page of the wiki for some tips on how it was done for that app:
http://xataface.com/wiki/Authenticating ... sers_table

Re: Implement editing hash password field with custom algo/salt?

PostPosted: Thu Oct 06, 2011 3:22 am
by FractalizeR
Thanks. I almost got it working.

I used fields.ini:
Code: Select all
[password_hash]
widget:label = "New password for user"
widget:type=text
visibility:list=hidden
validators:required=0


And the following class table definition:
Code: Select all
class tables_user {

    function password_hash__serialize($password) {
        $sql = "SELECT password_hash, password_salt FROM user where id='" . addslashes($_POST['id']) . "'";
        $res = mysql_query($sql, df_db());
        if (!$res) {
            throw new Exception(mysql_error(df_db()));
        }
        $data = mysql_fetch_assoc($res);
        mysql_free_result($res);

        //If no password was set by admin
        if (empty($password)) {
            return $data['password_hash'];
        }

        //Hashing password
        $hash = sha1(sha1($password, true) . $data['password_salt'], true);
        return $hash;
    }

    function password_hash__display() {
        return "";
    }

    function password_hash__toString() {
        return "";
    }
}


Password changing works. The only problem remains, is that validators:required=0 doesn't work in 1.3.rc6. I've filed bug report on that.