#1 2022-02-11 09:17:39

konsul41
Member
Registered: 2020-05-21
Posts: 24

Self-verification of the password

I am currently using Mormot to connect to an old MSSQL database which has its own login system (table) with its own password encryption.
I made my own TAuthUser and mapped the AuthUser fields to the fields in the table.
I am running TSQLRestServerAuthenticationDefault and fetching user from database is currently working. I am getting an error that the password is not valid.

Now I would like to use the method of password transmission used by TSQLRestServerAuthenticationDefault and only decode the password on the server side and check if the password is correct.
Is that a good way and is it possible at all?

Offline

#2 2022-02-11 13:04:50

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,659
Website

Re: Self-verification of the password

TSQLRestServerAuthenticationDefault does not send the password, it sends a hashed version over a challenge.

So it is impossible to compute the password back from the transmitted hash.

Offline

#3 2022-02-11 13:07:53

konsul41
Member
Registered: 2020-05-21
Posts: 24

Re: Self-verification of the password

How to write the password encryption procedure in the client?

And basically how to change the password system?
Which direction should I go?

Last edited by konsul41 (2022-02-11 13:14:34)

Offline

#4 2022-02-11 13:25:20

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,659
Website

Re: Self-verification of the password

You could inherit from TSQLRestServerAuthentication, and override the methods to transmit the password e.g. using AES + Base64 encoding instead of hashing.

Offline

#5 2022-02-11 13:27:03

konsul41
Member
Registered: 2020-05-21
Posts: 24

Re: Self-verification of the password

In my class
  TUsers = class (TSQLAuthUser)
I overwritten
class function ComputeHashedPassword (const aPasswordPlain: RawUTF8;
       const aHashSalt: RawUTF8 = ''; aHashRound: integer = 20000): RawUTF8; override;
is this a good direction.
It worked, I logged in with the data from the table.

Offline

#6 2022-02-11 14:05:49

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,659
Website

Re: Self-verification of the password

If it worked, it is fine. smile

But ensure that the connection is encrypted (using HTTPS/TLS or our encrypted WebSockets layer), otherwise it may be possible to retrieve the password over the wire.

Offline

Board footer

Powered by FluxBB