#1 2018-10-03 10:25:16

esmondb
Member
From: London
Registered: 2010-07-20
Posts: 299

TSQLRestServer.OnAuthenticationUserRetrieve Problem

I'm using a custom TSQLAuthUser record which adds an email address field and then uses TSQLRestServer.OnAuthenticationUserRetrieve to allow a user to use their username or email to login with.

This works except TSQLRestServerAuthenticationDefault.CheckPassword always uses the username to calculate the salt. I think it needs changing from:

function TSQLRestServerAuthenticationDefault.CheckPassword(Ctxt: TSQLRestServerURIContext;
  User: TSQLAuthUser; const aClientNonce, aPassWord: RawUTF8): boolean;
var aSalt: RawUTF8;
begin
  aSalt := aClientNonce+User.LogonName+User.PasswordHashHexa;
  result := IsHex(aPassword,SizeOf(THash256)) and
    (IdemPropNameU(aPassWord,SHA256(fServer.Model.Root+CurrentServerNonce(false)+aSalt)) or
     // if current nonce failed, tries with previous 5 minutes' nonce
     IdemPropNameU(aPassWord,SHA256(fServer.Model.Root+CurrentServerNonce(true)+aSalt)));
end;

to:

function TSQLRestServerAuthenticationDefault.CheckPassword(Ctxt: TSQLRestServerURIContext;
  User: TSQLAuthUser; const aClientNonce, aUserName, aPassWord: RawUTF8): boolean;
var aSalt: RawUTF8;
begin
  aSalt := aClientNonce+aUserName+User.PasswordHashHexa;
  result := IsHex(aPassword,SizeOf(THash256)) and
    (IdemPropNameU(aPassWord,SHA256(fServer.Model.Root+CurrentServerNonce(false)+aSalt)) or
     // if current nonce failed, tries with previous 5 minutes' nonce
     IdemPropNameU(aPassWord,SHA256(fServer.Model.Root+CurrentServerNonce(true)+aSalt)));
end;

i.e. passing the acutual username used

Offline

Board footer

Powered by FluxBB