I've been given the task of transferring a user database from one FOSUserBundle/Symfony project to another.
My sample user from the old project has been transferred over to the new project containing all the same fields [ salt, password, etc ], yet I'm unable to login using the same username / password combination.
What else goes into the password storage in FOSUserBundle that would make the password + salt combination invalid between projects, and how can I transfer the raw data of the old project into the new project.
My input is a JSON file with all the user table details. I am importing this through PHP, and creating and persisting user objects in a loop without using fos_user.user_manager.
foreach ($obj as $userData) {
if (isset($userData['personalDetails'])) {
if (isset($userData['personalDetails']['firstName'])) {
/** #var User $user */
$user = new User();
$user->setId($userData['id']);
$user->setSalt($userData['salt']);
$user->setPassword($userData['password']);
$user->setUsername($userData['email']);
$user->setEmail($userData['email']);
$user->setEnabled($userData['enabled']);
$user->setExpired($userData['expired']);
$user->getPersonalDetails()->setFirstName($userData['personalDetails']['firstName']);
$user->getPersonalDetails()->setLastName($userData['personalDetails']['lastName']);
$user->setFacebookId($userData['facebookId']);
$user->setFacebookAccessToken($userData['facebookAccessToken']);
$user->setGoogleId($userData['googleId']);
$user->setGoogleAccessToken($userData['googleAccessToken']);
$this->getDoctrine()->getManager()->persist($user);
}
}
}
You can use the same table (FOSUSER) with your new project or just dump your table and move it to your new database.
If you do that, you have to keep the same "Encoder configuration" on the security as the old project.
The UserPassword only need the salt, the PlainPassword and user the encoded user to create the hashed password. If you have the same configuration in the configuration in the new project like the old one everything will be ok. Hope I help you .. Let us know.
//Security.yml
security:
encoders:
Site\UserBundle\Entity\User: sha512
FOS\UserBundle\Model\UserInterface: sha512
Related
I use a SQLite database instead of MySQL for authentication on my Laravel app. The registration works perfectly, but the login does not work correctly.
I get the following error:
These credentials do not match our records.
Please, help me to solve it!
When you register a new user, the password about to be stored must be encrypted with the bcrypt() helper, such as bcryp($request->password).
Otherwise the credentials will not match during login time.
Also, if you did not use the users migration packed with Laravel, the password field must be a minimum of 64 characters in lenght.
Add this code in your User model
/**
* Hash password by bcrypt before save in database.
*
* #param type $password
*/
public function setPasswordAttribute($password)
{
if (isset($password)) {
$this->attributes['password'] = bcrypt($password);
}
}
everything is working but you have to ensure that
your SQLite DB is not open somewhere else
if it will open in DB browser or any other such type of tool just close that and try again later
will work fine
please please someone help me , my boss would kill me , this code is not working in laravel , because password is hashed , it is bcryted , how do i compare and get my us_id ( wich stands for username_id ) , the one that tried to login but has the wrong password , do you have any suggestioin , what i'm trying to do is very simple , i'm trying to understand if the user entered a wrong password but his/her username is right . i am beginner . sorry for that :( . i know this won't work , but what should i do to understand if the user entered a wrong password ?
public function login(Request $request, Logs $logs)
{
$password = $request->input('password');
$myuser = \DB::table('users')->where('password', $password)->first();
if (\Hash::check($password, $myuser->password)) {
$logdata = $myuser->id;
$logs->insert($logdata);
return view('MainPages.example', ['pass' => $password]);
}
}
The password is hashed by Laravel, so use the Hash::check() method:
if (\Hash::check($password, $myuser1->password)) {
The Laravel Hash facade provides secure Bcrypt hashing for storing user passwords. If you are using the built-in LoginController and RegisterController classes that are included with your Laravel application, they will automatically use Bcrypt for registration and authentication.
https://laravel.com/docs/5.5/hashing
You can't expect this to work.
Passwords are stored encrypted. Multiple people could theoretically have the exact same password, but none of them would look identical when stored. Therefore you don't know what to look for in the record, even if you know what password you are looking for because you don't know what salt was used for the particular record where it is stored.
You just can't retrieve a record on a password lookup like this. Rather, you have to retrieve the record first (based on some other key, eg. username or id) and then see if the password encrypts to match from the given password that has the ever important salt.
This is going to sound very weird but kindly bear with me. I have built a symfony2 application which runs pretty well on the web.
Some users in the field are having so much trouble accessing the application on their phones in the field because we all know how heavy symfony is. The situation is so bad i'm forced to heavily scale down their access to just a four page access with just three php files, 1 for authentication, one for data entry and one for viewing their entries, all these without using symfony2 but plain php.
Now to my question, how do i check password against database password/salt?
I'm using FOSUserBundle for security
Are you sure you're using FOSUserBundle for security? I think you'll find you're using the core SecurityBundle for that. The way the user's password is stored will depend on how you have configured the security system.
The MessageDigestPasswordEncoder is what is used to encode the passwords. From looking at that code you can replicated it as needed. The gist of it is merge the password and salt ($password.'{'.$salt.'}') and then run it through PHP's hash function hash($this->algorithm, $salted, true) for however many iterations are needed.
Although, not specifically related to the question you asked, I'm a little confused as to what you mean by having to scale back the PHP for mobile users? Server page generation will take just as long for mobile as desktop users so why are you reimplementing outside of the symfony framework?
you can use user manager to check user credentials validity. i've created the following function for such mission.
/**
* authorize user by username and password
*
* #param string $username
* #param string $raw_password
*/
public function authUserByUsernamePassword($username, $raw_password) {
$userManager = $this->container->get('fos_user.user_manager');
$user = $userManager->findUserByUsername($username);
// username not found
if (!$user) {
throw new \Exception("User with username: $username not found!", 0);
}
$encoder_service = $this->container->get('security.encoder_factory');
$encoder = $encoder_service->getEncoder($user);
$encoded_pass = $encoder->encodePassword($raw_password, $user->getSalt());
if($encoded_pass != $user->getPassword()){
throw new \Exception("wrong password!", 0);
}
// Get UsernamePasswordToken
$token = new UsernamePasswordToken($user, $user->getPassword(), 'main', $user->getRoles());
// Set token
$this->authUserByToken($token);
return $this->getUserToken($user);
}
I'm trying to authenticate users in Mysql database generated by Symfony 2. In Security.yml I have this :
security:
encoders:
"FOS\UserBundle\Model\UserInterface": sha512
In User Table there is 2 fields : Salt and Password.
All passwords are like that :
YqkYUe0pV/TAw12aG2UcBax0hnJNeHez/S0uBGbnDDBxWD2Yeetqm4DfMn/8WKILIeRpM7ncTJ9coYOiNPGeOA==
I'm working on a webservice to authenticate users using PHP. I don't which functions do I have to use to compare plain password with the encrypted ones?
You have to get the password encoder factory from the container.
You can do so like this :
$factory = $container->get('security.encoder_factory'); //$container refers to your container, it can be also $this->container
$user = new Your\Bundle\Entity\User();
$encoder = $factory->getEncoder($user);
$encodedPassword = $encoder->encodePassword($nonEncodedPassword, $user->getSalt());
This should be enough. Of course you can set "by hand" the second encodePassword parameter as its the salt used to encode all paswords. It's usually defined in your user implementation class, that's why we give here an entity instancied object.
This is the class that handles the sha512 encryption in Symfony2
https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Core/Encoder/MessageDigestPasswordEncoder.php
I'm using DynamoDB for my application so the doctrine ORM isn't an option for me when it comes to authentication.
I've created a basic user provider and have it working perfectly when using a sha1 hash, however I'm completely stuck / don't understand how to get it working with salt.
FYI: My code is based on this guide from the manual
Code:
Once the 'new user' form has been submitted a grab the raw data and do the following then persist to the DB - this works fine:
$salt = '79fdshjh408hjhgd87r5438ujl';
$password = base64_encode(sha1($rawPassword.'{'.$salt.'}'));
When authenticating I have a 'userProvider' that requests the users details based on username from the DB - this also works fine and I'm returned all the details
//WebserviceUserProvider.php
$username = $userData['userName'];
$password = $userData['password'];
$roles[0] = 'ROLE_ADMIN';
$salt = '79fdshjh408hjhgd87r5438ujl';
return new WebserviceUser($username, $password, $salt, $roles);
the WebserviceUser file is a direct copy of the one in the docs:
security.yml
security:
encoders:
HvH\SecurityBundle\Security\WebserviceUser:
algorithm: sha1
iterations: 1
encode_as_base64: true
If anyone could point me in the right direction, it would be much appreciated.
Thank you