XF 2.0 Generating password salt/hash with XF and auth with Java Program

[Andrew]

Hello!

I am trying to authenticate user credentials against my XF database. I am using the https://github.com/patrickfav/bcrypt library in java to check the secret key stored in the database. However my tests are failing.

Here is the code:

public static void main(String[] args) {
    // Testing Bcrypt:
    // Xf Secret key (from XF database): 394c395363326f4c543173595f676d4a63786341446236523376494346704a67
    String password = "abc123";
    String version = "$2a$10$";
    String secretKey = "394c395363326f4c543173595f676d4a63786341446236523376494346704a67";
    BCrypt.Result result = verifyer().verify(password.toCharArray(), version + secretKey);
    if (result.verified) {
        System.out.println("success");
    } else {
        System.out.println("fail");
    }
}

A few question:

1. In order for this to work, can the Java server program and the website exist on separate machines? XF is on HostGator and the Java program is on an array of dedicated server machines.
2. Is this $2a$10$ version and strength identifier correct for a default XF installation (PHP version 5.4.45)?

Thanks for all the help!

 

[Chris D]

The secret_key is not your password.

You need the information from the xf_user_authenticate table.

Note that if you have imported from other software, not all users will be using Bcrypt.

 

[Andrew]

The secret_key is not your password.

You need the information from the xf_user_authenticate table.

Note that if you have imported from other software, not all users will be using Bcrypt.

THANK YOU! Using the data from the xf_user_authenticate table worked! I had checked that table before, but I didn't know what a BLOB was, so I dismissed it. I downloaded the file and opened it to see its contents. Manually extracted the hash and it worked! Now that I have that going, I can do legit authentication with my program.

I have renewed my license! I can't believe I have had a license for almost 9 years now. Where have the years gone.

 

[Chris D]

I have renewed my license! I can't believe I have had a license for almost 9 years now. Where have the years gone.

Time flies when you're having fun

 

[Andrew]

Alright here it is working! The game uses an SSL socket to make sure the details being sent across the wire are safe and secure. Then the users credentials are authenticated against the ones provided by XenForo

 

[Chris D]

Fantastic work!

 

[Andrew]

To whom it may concern,

I know this is a very old topic. Over the years I've had a lot of people come find me and ask me how it was done. I open sourced my mmo game a long time ago. That being said my code is all on github. This code does this:

1. Downloads the xf user password blob
2. Encrypt the incoming password with bycript to compare to the one in the database
3. Handle pass and fails

forgestorm-mmo-server/src/main/java/com/forgestorm/server/database/sql/XFUserAuthenticateSQL.java at master · unenergizer/forgestorm-mmo-server

A program that drives the client simulation. Contribute to unenergizer/forgestorm-mmo-server development by creating an account on GitHub.

github.com

The code above you are free to use how you wish. Good luck with your project!

P.S. I should mention that their is a memory leak in this code. So I do not advise coping it. Look at it and learn it. And write your databse code cleanly.