Implement editing hash password field with custom algo/salt?

A place for users and developers of the Xataface to discuss and receive support.

Implement editing hash password field with custom algo/salt?

Postby FractalizeR » Wed Oct 05, 2011 12:00 am

Hello.

I have a table in my database with a list of users. They are users of my own application, this table doesn't have any relation to Xataface authorization. It's structure is like

Code: Select all
CREATE TABLE IF NOT EXISTS `user` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `email` char(50) CHARACTER SET latin1 NOT NULL,
  `password_hash` binary(20) NOT NULL,
  `password_salt` char(5) NOT NULL
)


Password is defined like
Code: Select all
$password = RandomPasswordGenerator::generate(PasswordGenerator::ALLOWED_CHARS_LATIN_ALPHA_NUMERIC, 12);

$insertDb['password_salt'] = RandomPasswordGenerator::generate(PasswordGenerator::ALLOWED_CHARS_LATIN_ALPHA_NUMERIC, 5);
$insertDb['password_hash'] = sha1(sha1($password, true) . $insertDb['password_salt'], true);


So, password field value depends on salt value. How do I implement UI for admin with Xataface to allow administrator to change password for a given user?

I tried to look at field__serialize example on forum, but it seems, it doesn't allow you to access values of fields, other than the one being serialized in the handler.

I'm new to Xataface, but already inspired by it's capabilities :) Can you help me?
FractalizeR
 
Posts: 19
Joined: Tue Oct 04, 2011 5:26 am

Re: Implement editing hash password field with custom algo/salt?

Postby shannah » Wed Oct 05, 2011 9:26 am

PHPBB does something similar. See this page of the wiki for some tips on how it was done for that app:
http://xataface.com/wiki/Authenticating ... sers_table
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: Implement editing hash password field with custom algo/salt?

Postby FractalizeR » Thu Oct 06, 2011 3:22 am

Thanks. I almost got it working.

I used fields.ini:
Code: Select all
[password_hash]
widget:label = "New password for user"
widget:type=text
visibility:list=hidden
validators:required=0


And the following class table definition:
Code: Select all
class tables_user {

    function password_hash__serialize($password) {
        $sql = "SELECT password_hash, password_salt FROM user where id='" . addslashes($_POST['id']) . "'";
        $res = mysql_query($sql, df_db());
        if (!$res) {
            throw new Exception(mysql_error(df_db()));
        }
        $data = mysql_fetch_assoc($res);
        mysql_free_result($res);

        //If no password was set by admin
        if (empty($password)) {
            return $data['password_hash'];
        }

        //Hashing password
        $hash = sha1(sha1($password, true) . $data['password_salt'], true);
        return $hash;
    }

    function password_hash__display() {
        return "";
    }

    function password_hash__toString() {
        return "";
    }
}


Password changing works. The only problem remains, is that validators:required=0 doesn't work in 1.3.rc6. I've filed bug report on that.
FractalizeR
 
Posts: 19
Joined: Tue Oct 04, 2011 5:26 am


Return to Xataface Users

Who is online

Users browsing this forum: No registered users and 24 guests

Powered by Dataface
© 2005-2007 Steve Hannah All rights reserved