XF 2.0 Users password algorithm

[HolyK]

Hi,

we would like to use our external service to auth against XF accounts. I found following post but it is related to XF1.x so i'd like to know if this is still valid for XF2 or if it is different.

The passwords are stored in the xf_user_authenticate table in the database. See this file for the auth code:
library/XenForo/Authentication/Core.php
XenForo uses a salted double hash using either SHA1 OR SHA256:
sha1(sha1(password) . salt)
or:
sha256(sha256(password) . salt)

Thank you in advance for your reply

Alex

 

[Chris D]

That would only be valid in very old versions of XF. Before XF 1.2.

Since then we’ve used bcrypt and it’s the same in XF2.

If you’re interfacing with PHP and you have an up to date PHP version then you can use password_hash and password_verify functions.

The best code to look at is the XF\Authentication\Core12 class in XF2 as that demonstrates how the password is hashed and verified if those functions are available.

 

[HolyK]

Hello Chris, thanks for your reply.

Yes we're running on PHP 7.1. Thank you for pointing me to the proper directions, much appreciated!

Alex

 

[Chris D]

In that case, it's literally as simple as this code, assuming $password has come from some sort of sanitized user input and you have the $userId already:

$data = $db->fetchOne('SELECT data FROM xf_user_authenticate WHERE user_id = ? AND scheme_class = \'XF:Core12\'', $userId);
if (!$data)
{
    // no valid authentication record
    return false;
}
$data = @unserialize($data);

if (password_verify($password, $data['hash']))
{
    // password match
    return true;
}
else
{
    // password does not match
    return false;
}

Obviously that's a fairly simplistic example and it only works on XF2 but the code for XF1 is similar, and it relies on all of your users using the XF:Core12 authentication method (it would only be something else if they haven't logged in for years or if they were imported from another forum software, or they registered using connected accounts like Facebook, Twitter etc.).

 

[HolyK]

...it relies on all of your users using the XF:Core12 authentication method (it would only be something else if they haven't logged in for years or if they were imported from another forum software, or they registered using connected accounts like Facebook, Twitter etc.).

This is our case, we're migrating from vB 4.2.5 to XF2 (via XF 1.5.15 importer)

 

[Chris D]

Then you might need to implement different authentication paths depending on which authentication scheme they are using.

Thing is we do have an upgrade process for authentication handlers. If a user logs in with a non XF handler then we do upgrade it to the XF version. So it just depends on whether you expect anyone to sign in to your external system before they’ve logged into the forum properly.

You could also consider just using the XF framework directly which involves initialising XF and accessing the authentication handlers directly.

 

[HolyK]

Thing is we do have an upgrade process for authentication handlers. If a user logs in with a non XF handler then we do upgrade it to the XF version. So it just depends on whether you expect anyone to sign in to your external system before they’ve logged into the forum properly.

Ha! This solves the issue then. We will just put a small note to the logon form of the external service instructing users to log-in to forum first (one-time). I don't see this as a issue. It is 1000x better than force-resetting passwords for everyone.

You could also consider just using the XF framework directly which involves initialising XF and accessing the authentication handlers directly.

Yea we thought about that as well but for now we will be OK with the above. But it is on our list of future improvements.

Thanks!

 

[ivp]

Is it possible to auth against XF accounts without PHP, but solely using MySQL/MariaDB?