Skip to content

Loading…

Moving users to other system #391

Open
carloc opened this Issue · 5 comments

4 participants

@carloc

Hello. I was wondering, since I have my users identified by authlogic, with a crypted_password and a password_salt in my database, what is the procedure to authenticate this data.
I tried sha512 digest crypted+salt as hex but with no luck (obviously with a known password).

Can someone please point me out in the right direction?

Thank you very much!!

@nathany

There is mention of authlogic sha512 if you search devise (if that's what you're moving to):

https://github.com/plataformatec/devise/search?q=authlogic&ref=cmdform&type=Code

@carloc

@nathany Yeah, as I said I tried using sha512, but with no luck! I'm not using devise by the way, but I'm moving to node.js with passport.js as authentication middleware...

@nathany

@carloc Sorry, I don't know enough about cryptography to provide more useful assistance.

@nickpearson

Take a look at the Password#valid_password? method. This will lead to the Sha512#matches? method.

The tokens array passed to matches? will contain [raw_password, salt] (as returned by the Password#encrypt_arguments method).

Assuming you haven't changed any of the Authlogic options, you should be able to hash a cleartext password and arrive at what is stored in your database using this:

# default join_token is nil (used to join)
# default stretches is 20
digest = ['the-raw-password', 'the-salt'].flatten.join(nil)
20.times { digest = Digest::SHA512.hexdigest(digest) }
digest # the encrypted password

The actual encryption of a new password to be stored in the database happens in the Password#password= method.

Note that the encrypt_arguments method could be renamed to encryption_arguments. This method is just preparing the arguments to pass to the encrypt method of the chosen provider and is not performing any encryption itself.

Hope this helps.

@tiegz
Collaborator

@carloc did @nickpearson 's advice work?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.