Logging in on frontend of Magento 2.3.2 doesn't seem to work properly after you ran 'bin/magento customer:hash:upgrade'

[hostep]

Preconditions (*)

1. PHP 7.2.19 where you have the sodium extension installed, and have libsodium >= 1.0.13 (this is very important!)

Steps to reproduce (*)

1. Have Magento 2.3.1 installed
2. Create 2 customers in the frontend, remember their passwords
3. Look into the database to the password_hash column in the customer_entity table, they look something like this: {64-random-chars}:{32-random-chars}:1 Screen1
4. Upgrade to Magento 2.3.2
5. Login with the first customer in the frontend
6. Look at the database again, his password_hash has changed to: {64-random-chars}:{16-random-chars}:2 Screen2
7. Logout and log back in with the first customer, notice that this works => good
8. Now, assume you can't wait on every customer to login to upgrade their password hash and just do it yourself by running bin/magento customer:hash:upgrade
9. Look at the database again, the password_hash for the second customer has changed to: {64-random-chars}:{32-random-chars}:1:2 Screen3
10. Now try to login with the second customer on the frontend, this does not work => not good

Expected result (*)

1. It is expected to be able to login with a customer after you ran bin/magento customer:hash:upgrade

Actual result (*)

1. You can't login with a customer after you ran bin/magento customer:hash:upgrade

Discussion

I assume executing bin/magento customer:hash:upgrade upgrades the password_hash to the new algorithm, but not by using the unhashed password, because it can't know it. Then on the next login of that particular customer, it should detect this because the hash ends with :1:2 and then again re-hash it and change it to just :2.
But that doesn't seem to be working here for some reason.
Watch out: I have no idea if this is actually how Magento wanted to implement this, but this makes sense. Unfortunately there seems to be something broken in the implementation.

[m2-assistant]

Hi @hostep. Thank you for your report.
To help us process this issue please make sure that you provided the following information:

• Summary of the issue
• Information on your environment
• Steps to reproduce
• Expected and actual results

Please make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, please, add a comment to the issue:

@magento give me 2.3-develop instance - upcoming 2.3.x release

For more details, please, review the Magento Contributor Assistant documentation.

@hostep do you confirm that you were able to reproduce the issue on vanilla Magento instance following steps to reproduce?

• yes
• no

---

• Join Magento Community Engineering Slack and ask your questions in #github channel.

[hostep]

I haven't tested it yet on a vanilla installation, but it would surprise me if it actually works on vanilla. I can spend some time testing it on a vanilla installation later if you want me to (bit busy at the moment, sorry).

[m2-assistant]

Hi @engcom-Bravo. Thank you for working on this issue.
In order to make sure that issue has enough information and ready for development, please read and check the following instruction: 👇

• 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).

  Details

  If the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.

• 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.

• 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

• 4. Verify that the issue is reproducible on 2.3-develop branch

  Details

  - Add the comment @magento give me 2.3-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.3-develop branch, please, add the label Reproduced on 2.3.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!

• 5. Verify that the issue is reproducible on 2.2-develop branch.

  Details

  - Add the comment @magento give me 2.2-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.2-develop branch, please add the label Reproduced on 2.2.x

• 6. Add label Issue: Confirmed once verification is complete.

• 7. Make sure that automatic system confirms that report has been added to the backlog.

[hostep]

@engcom-Bravo, just FYI: please don't try to test this on the 2.3-develop branch, because parts of the Magento 2.3.2 code which is necessary for this issue hasn't landed yet in the 2.3-develop branch at the time of writing. (specifically this commit: MC-5843: Add Argon2ID support)

[engcom-Bravo]

Hello @hostep. I know this. Thanks

[engcom-Bravo]

I have 2.3.2 composer version and with upgrade from 2.3.1 to 2.3.2 all reproduce where step9. but I able login both customer1 and customer2. On step10 I have {64-random-chars}:{32-random-chars}:2.

[hostep]

Ok, that means that you don't have the sodium php extension installed. So Magento still uses the old password hashing algorithm.
So try to install the sodium php extension, and also libsodium (at least version 1.0.13) and you should be able to reproduce the problem.

[engcom-Bravo]

Now checked database:

[engcom-Bravo]

{64-random-chars}:{16-random-chars}:2. Then runed bin/magento customer:hash:upgrade. After this problem not reproduce. And Hashe not changed

[hostep]

Are you sure you didn't log in first with the second user?

So steps:

1. Magento 2.3.1: create a new user in frontend and logout.
2. Upgrade to Magento 2.3.2, and run bin/magento customer:hash:upgrade (do not attempt to login before you executed that command)
3. Try to login with the user in frontend, it doesn't work anymore.

Update: I've just updated my initial post, the steps to reproduce were a little bit too complex, it should be more clear now.
I also tried to reproduce it again, and was able to trigger the bug, so please follow all the steps carefully.