Passwords set/updated via web-interface are not hashed even with hashing set

[rowanthorpe]

When I have resources.auth.oss.pwhash = "bcrypt" in application/configs/application.ini if I manually bcrypt-hash user passwords and update them directly in the database there is no problem for authorisation, but when I use the web-interface to modify passwords it resets them as plaintext regardless of the config setting.

[rowanthorpe]

...it seems any updates at all to "profile information" are not possible through the interface with hashing set, because it keeps complaining that the "password is too long" (because it sees the hash as a password)

[barryo]

This should be fixed. At least everything seems to be working for me.

@rowanthorpe if there are still issues, please open a new ticket with detailed step by step instructions on how to replicate.

[bcix]

With version 3.5.0, this thing looks like working fine for the BCIX installation.

[barryo]

@bcix - you'll need to update to v3.5.2. There are some edge cases where certain actions will fail (e.g. logout, do a password reset, then log in and try and change your password or profile).

Also, the add / edit of contacts (with login accounts) had some issues for non-plaintext password hashing.

[bcix]

Hey, on 3.5.2, now. When I reset the password mail and then via

http://www.bcix.de/ixp/auth/reset-password/username//token/

now I'll see the following error message on the following page:

User expected but none found... Please reload the page...

[barryo]

@bcix I have tested password reset with both versions of password hashing:

resources.auth.oss.pwhash  = "plaintext"
resources.auth.oss.pwhash  = "bcrypt"

and both email formats:

resources.auth.oss.email_format = 'html'
resources.auth.oss.email_format = 'plaintext'

and I cannot replicate a case where I get a password reset email with no username and token in the provided URL.

Please ensure that at each version bump you carried out all necessary tasks as indicated in the changelog and also ensure your database is fully up to date as per these instructions.

If the problem persists, please open a new ticket with step by step instructions on what you're doing as well as the output of the MySQL statements:

SELECT * FROM user WHERE username = `XXXX`\G
SELECT * FROM user_pref WHERE user_id = Y;

If you're using plaintext passwords, obsfuscate the password in the output. The user ID Y can be gotten from the output of the first command and the username XXXX is the user you are trying to reset the password of.

Also provide the output of:

git rev-parse HEAD

and ensure, from the root directory of IXP Manager, that you have run:

git submodule init
git submodule update

Lastly, also include all the resources.auth.xxx config blocks from your application.ini.