EZP-31462: Removed password hash types break login #141
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Fixup: Get the default hash type from the password hash service, rather than hardcoding it. NB: It's not at all certain that the final fix will look like this. It may be the wrong place to fix it. |
|
Kudos, SonarCloud Quality Gate passed!
|
alongosz
requested changes
Dec 4, 2020
|
Fair point. Set as work in progress, and I've asked for Eng help on it. I need to focus on the growing security issue list, and this isn't security. Maybe @kaff will be able to look at this later? 🏃💨 |
alongosz
force-pushed
the
ezp-31462_removed_password_hash_types_break_login
branch
from
cee5500
to
2944284
Compare
alongosz
force-pushed
the
ezp-31462_removed_password_hash_types_break_login
branch
from
2944284
to
9947249
Compare
alongosz
approved these changes
Feb 11, 2021
alongosz
requested review from
mikadamczyk,
adamwojs,
ciastektk,
Nattfarinn and
webhdx
and removed request for
kaff
Steveb-p
approved these changes
Feb 11, 2021
adamwojs
approved these changes
Feb 11, 2021
ciastektk
approved these changes
Feb 11, 2021
Co-Authored-By: Paweł Niedzielski <Steveb-p@users.noreply.github.com>
|
Kudos, SonarCloud Quality Gate passed!
|
micszo
approved these changes
Feb 16, 2021
alongosz
deleted the
ezp-31462_removed_password_hash_types_break_login
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
v3.2+The previous fixes are incomplete. When an invalid hash type is detected, we expire the password and ask the user to enter a new password. But when we save this new password, we don't update the hash type, which means the password isn't saved, and the user ends up in a redirect loop.
However, cache can mask the issue. If you test by manually changing hash type to an invalid one in the db, you have to clear caches before you go through the test steps.
This fix catches when the type is invalid, and sets it to the default type in that case.
DOC: Once fixed, I suggest the relevant doc should mention that you have to upgrade to at least version x for this to work.
https://github.com/ezsystems/developer-documentation/blob/03a7cc0ea04f3e6bf7ebf22a8bea53840123196e/docs/releases/ez_platform_v3.0_deprecations.md#password-hashes
Checklist:
$ composer fix-cs).@ezsystems/php-dev-team).