You are not logged in.
- Topics: Active | Unanswered
#1 2018-10-03 10:25:16
- esmondb
- Member
- From: London
- Registered: 2010-07-20
- Posts: 299
TSQLRestServer.OnAuthenticationUserRetrieve Problem
I'm using a custom TSQLAuthUser record which adds an email address field and then uses TSQLRestServer.OnAuthenticationUserRetrieve to allow a user to use their username or email to login with.
This works except TSQLRestServerAuthenticationDefault.CheckPassword always uses the username to calculate the salt. I think it needs changing from:
function TSQLRestServerAuthenticationDefault.CheckPassword(Ctxt: TSQLRestServerURIContext;
User: TSQLAuthUser; const aClientNonce, aPassWord: RawUTF8): boolean;
var aSalt: RawUTF8;
begin
aSalt := aClientNonce+User.LogonName+User.PasswordHashHexa;
result := IsHex(aPassword,SizeOf(THash256)) and
(IdemPropNameU(aPassWord,SHA256(fServer.Model.Root+CurrentServerNonce(false)+aSalt)) or
// if current nonce failed, tries with previous 5 minutes' nonce
IdemPropNameU(aPassWord,SHA256(fServer.Model.Root+CurrentServerNonce(true)+aSalt)));
end;to:
function TSQLRestServerAuthenticationDefault.CheckPassword(Ctxt: TSQLRestServerURIContext;
User: TSQLAuthUser; const aClientNonce, aUserName, aPassWord: RawUTF8): boolean;
var aSalt: RawUTF8;
begin
aSalt := aClientNonce+aUserName+User.PasswordHashHexa;
result := IsHex(aPassword,SizeOf(THash256)) and
(IdemPropNameU(aPassWord,SHA256(fServer.Model.Root+CurrentServerNonce(false)+aSalt)) or
// if current nonce failed, tries with previous 5 minutes' nonce
IdemPropNameU(aPassWord,SHA256(fServer.Model.Root+CurrentServerNonce(true)+aSalt)));
end;i.e. passing the acutual username used
Offline