[Bug] Unable to log in.

[it911now]

What happened?

After logging out of the BoxBilling site, I am unable to log into the site.

1. After reinstalling BoxBilling 4.22 I could never log back into the system using the admin account the first ime.
2. On another attempt, I created another admin user just after installation, and that user could not log in either from another device or browser.
3. On another occasion, I created a standard user after installation and was able to login in a different browser with the standard user, but not with the initial admin user created at installation.
   a)I copied the password HASH from the working user account to the admin user "pass" field but that didn't work either.
   b) So in looking at another Boxbilling issue about the trailing slash, I noticed that there is a SALT included in the bb-config.php file but not in the database in the "table:admin".

So to fix the problem, I copied the salt from the bb-config.php file and placed it in the salt field for each user, and this allowed all the users to log into the site.

My question is,

1. Is this by design to not include the "SALT" in the database for each user?
2. Did I miss something during the installation process that caused this to work this way?
3. Is this a BUG and the installation process is supposed to add the SALT to each user upon the user creation process?

BoxBilling Version

v4.22-beta.1

What version of PHP are you running?

7.4x

Additional Notes

Additional notes

[BelleNottelling]

This definitely sounds like a bug, but I haven't experienced it and have done many installs of BB while developing it.

Since 4.22-beta.1 is so old, could you try this upcoming release? it's not officially out, but it has a fair few bug fixes and security improvements. Hasn't been thoroughly tested yet but I'm pretty sure it should be just as if not more stable than the version you're trying.

This is just the current master branch but with all of the composer dependencies pre-packaged. If for whatever reason you don't feel comfortable with this then download the current mast branch and user composer to install the dependencies as directed in our readme.

4.22-beta.2 (updated 8/23/21)

If you're going to try re-using your current config please take note of the new config options which must be added.

        /**
         * Note about rate limiting login attempts:
         * When the limit is reach, a default delay of 2 seconds is added to the request. 
         * This makes brute forcing a password basically useless while not outright blocking legitimate traffic.
         * When calculating, ensure the rate limited traffic can still make enough requests to stay rate limited
         * Ex: One request every 2 seconds is more than 20 times in 1 minute, so the IP will remain throttled
         */

        // Throttling delay
        'throttle_delay'         =>  2,

        // Time span login for limit in seconds
        'rate_span_login'         =>  60,

        // How many login requests allowed per time span
        'rate_limit_login'        =>  20,

It may also be helpful to know what software the webserver is being run on and the respective versions. Thanks

[BelleNottelling]

@it911now Hi there, haven't heard back from you in quite awhile.
Did you resolve the issue?