Hey Amit,
Thanks for the link as I am unfamiliar with Blesta.
Blesta use a very custom system as outlined here:
Before a password is hashed using bcrypt, however, it is hashed using HMAC SHA-256. The HMAC SHA-256 process produces a 256-bit (64-hexadecimal character) string, which is then hashed using bcrypt. This extra step provides additional security for short passwords, extremely long passwords (see denial of service), and dictionary attacks.
I actually feel their attempt to be more secure by adding in a two step system is far less secure than requiring a better password from their users and would in fact cause little additional benefit. However, this is not the topic for discussion.
The flat answer is that the plugin currently doesn’t support this as it is such a custom solution. I have a task in my backlog to create a hook so that you could add a custom hashing solution in your functions.php file.
I will bump it up the list and will leave this thread open so I can update you when I get round to adding this feature. I’ll also try to add an example code snippet that you would need to add to your functions.php file.
To assist me doing this, could you please create a new user in your Blesta system with the password “password1” so that I can test the solution locally for you.
Thanks Amit,
Tom
hi Tom
thanks for the prompt reply
i shall be awaiting your addition on this
till then i would stall my development, and would concentrate on the themes and other stuff
thanks and regards
amit
also when you are done with the job, kindly ping me so that i create an additional user in my blesta install
Hey @agentmishra,
Of course I’ll let you know when I’m done 🙂
As said previously there’s something I need from you to assist me doing the work but I wasn’t clear about what I needed.
Could you please create a new user in your Blesta system with the password “password1”. Could you then send me the hash that is created in the users table so that I can test the solution locally for you.
I want to make sure that the example code I give you for External Login will correctly convert “password1” to the hash that your Blesta system creates.
Thanks,
Tom
the hashed password is as follows
1. for password its
====
$2y$12$37Vz4b3gvYtpfEoFfB2uyOvL7kt0gfnW.m.584aMqqaBADVA0YQiS
======
2. for password1 its
===
$2y$12$JpuoC5RiIml4musCwyE.8.PX30B1p24zxKuCW67ySiC04dhngWoRK
===
let me know if any more info is required
regards
amit
Hey @agentmishra,
I’ve made some progress with this.
I’ve created the feature that will allow you to add your own custom authentication checking. The hook gives you:
– the password that the user typed in
– the hash from the database
It then allows you to check to see if that password is valid for that hash.
What I haven’t been able to get working is to make this work with Blestas hashing method.
The code that you will need to add to your functions.php file will look something like this:
function myExlogHashAuthenticator($password, $hashFromDatabase) {
$hmacHashFromPassword = hash_hmac('sha256', $password, '?????????????');
$resultAfterBcrypt = password_verify($hmacHashFromPassword, $hashFromDatabase);
return $resultAfterBcrypt;
}
add_filter('exlog_hook_filter_authenticate_hash', 'myExlogHashAuthenticator', 10, 2);
However I do not know what the key that needs passing into the hash_hmac function. You can see I’ve currently added question marks in there.
This is something you’ll have to check with Blesta support.
I have not yet published the code that will make this code work but I thought you might like to start your enquiry with Blesta sooner rather than later.
If you wanted to do some initial testing with this feature before I release it, you can find the code here:
https://github.com/tbenyon/wordpress_external_login_plugin/tree/hashhook
I won’t mark this as resolved until I publish the feature in the next release.
Thanks,
Tom
ok
you kindly let me know what exactly i need to ask from blesta guys?
You’re going to owe me a 5* review after this @agentmishra 😛
————————————
Dear Blesta support,
I need to be able to validate a user’s password from the database using an external system using PHP.
Given a function that receives the plain text password and the hash for the user stored in the database I am struggling to see how I can validate the password.
I believe it should look something like the following but I am unsure of the key that would need to be passed into the hash_hmac function (see this currently replaced with question marks:
function validatePasswordAgainstHash($password, $hashFromDatabase) {
$hmacHashFromPassword = hash_hmac('sha256', $password, '?????????????');
$resultAfterBcrypt = password_verify($hmacHashFromPassword, $hashFromDatabase);
return $resultAfterBcrypt;
}
Am I close?
Thank you for your support.
——————————————–
You now need to work with them to get it working on your local code.
You can try running this function with their modifications and passing in the data you’ve given me and making sure it returns true. E.g.
function validatePasswordAgainstHash(
'$2y$12$37Vz4b3gvYtpfEoFfB2uyOvL7kt0gfnW.m.584aMqqaBADVA0YQiS',
'password'
) {
$validated = // Whatever code they suggested here
if ($validated) {
error_log('Validated')
} else {
error_log('Not validated')
}
return $validated;
}
If you could write a review I’d be grateful.
Thanks,
Tom
i will get back on this as i get a reply from them
hi
presently you may try this key and update me
——-
0ee04f60e6f20d6e369ead803e66d46c5cc9ef0c39a97273c4e93e6f876f4710
——
but if it works do not mark the issue as resolved
because, this key thing in blesta is very crooked task
thanks
amit
also if this would be of some support
https://docs.blesta.com/display/dev/API
also the key is randomly generated in every install and is different every time
i feel i will have to give you access to 3-4 blesta logins, for this
but how do i get this done, any means of connecting over to you my other means like some private inbox kind of communication?
or may be you may mail me directly at [email protected]
hii Tom
any update on this?
hi Tom
where are you?
so replies form say 2 days…
Hey @agentmishra,
As mentioned before, this is well beyond the scope of support for this plugin. This is the bit you should be doing.
I will however try and help you out and find the time to test this for you this week.
Thanks,
Tom
