Password synch with another application

evilny0

Joined: 2005-03-22
Posts: 5

Posted: Tue, 2005-03-22 17:10

Hello.

I would like Gallery2 to stay in synch with another application user database, without using the "embeded" functionnality.

I've read the forum a bit and in a post someone suggested to code a module that would use events to do this from the Gallery side. I've sucessfully implemented a module doing this... except for passwords!

The problem is that the "save" event on GalleryUsers only provides the hashedPassword... I can't update the other application with an encrypted password .

Do you have any suggestions ?

I know I could add a "password" field in every place there is a "hashedPassword" one, but that seems an ugly solution.

Note: here the other application is phpBB in case you wonder. I don't want to use embedding, mainly because I don't want people from the forum to know about Gallery (only some people will know). And also because I prefer Gallery to be "alone" visually

mindless

Joined: 2004-01-04
Posts: 8601

Posted: Tue, 2005-03-22 17:39

there's no reason an embedded G2 needs to have direct links from phpBB or appear as embedded, ie with any phpBB content around it.. you could have G2 appear like it is standalone but still have a login into phpBB also log you into G2.. it's all in how you implement it.

evilny0

Joined: 2005-03-22
Posts: 5

Posted: Wed, 2005-03-23 07:49

My "problem" is, that I don't like the idea of the "embeded" G2 for my G2. That's a *really* nice feature, but I really prefer a standalone Gallery using another user database.

Why ? Because I want the login to be fully transparent for users : no need to login into another application to use G2.

I also noted that for example the personnal watermarks don't appear when in embeded mode.

I have already coded a simple php page with calls to the embeded G2, with just a login header a the top of the page using the phpBB database. I could also login into phpBB and use the session for login into G2, that should not be a problem.

That's why I implemented a module doing all the work : updating phpBB database when necessary, and also a user management page to add users from phpBB to G2. All of this is greatly working, except for passwords

So, I'm looking for a way to modify passwords in other databases when changing it in G2

valiant

Joined: 2003-01-04
Posts: 32509

Posted: Wed, 2005-03-23 07:59

you wrote a G2 module that listens to the create/update/delete user events and sync's to phpbb? i'd be interested in the code as i'e been planning something like that too.
our current integration is external App --> G2 (direction of authentication and user management synchronization). i'd be happy to offer a generic module for the other direction as well.

as for the passwords: G2 stores its passwords in a md5 hashed format. as far as i know, phpbb also uses md5 hashed passwords, i.e. both applications use the same format and thus you should be able to just copy the passwords from the G2 user into the phpbb user table. but pay attention that the G2 password doesn't get md5 hashed twice when copying it to phpbb, i.e. if there is a function in phpbb that lets you create a user or set the password, then it likely expects a non hashed password, i.e. cleartext. but you'll never get the cleartext password from G2.

evilny0

Joined: 2005-03-22
Posts: 5

Posted: Wed, 2005-03-23 10:05

valiant wrote:

you wrote a G2 module that listens to the create/update/delete user events and sync's to phpbb? i'd be interested in the code as i'e been planning something like that too.

I don't do all of this. I just want users in my system to have a unified login, but I don't synch all the users ! .

I'll try to explain what I did and make it clear. Sometimes my english is not good enough to explain what i want

First of all, my module works like the embedding functionnality. It even calls the same functions as the "embed.php" file (copy/paste, best friend of programmers). That allow me to relate users in phpBB & G2.

I made a module that listen to update/delete events. Not create : I only create users in phpBB. When a user is updated, I update the phpBB user database accordingly, based on the external id from the external id map. When a user is deleted, my event listener clears the external id map, like the embed.php does .

Anyway, I would be glad to send you the code if you want to take a look at it. It's a bit ugly (database queries in middle of the code with database names, ...), but it's working for my application.

valiant wrote:

as for the passwords: G2 stores its passwords in a md5 hashed format. as far as i know, phpbb also uses md5 hashed passwords, i.e. both applications use the same format and thus you should be able to just copy the passwords from the G2 user into the phpbb user table. but pay attention that the G2 password doesn't get md5 hashed twice when copying it to phpbb, i.e. if there is a function in phpbb that lets you create a user or set the password, then it likely expects a non hashed password, i.e. cleartext. but you'll never get the cleartext password from G2.

That's my problem, I can't get the cleartext password from G2. Why is this a problem ? Because of the password format in G2 ! It's md5 right, but with a 4 characters salt added. In phpBB (i'm using latest stable one, 2.0.13), it's plain md5 with no salt !

Conclusion : if G2 doesn't provide the cleartext password in the event when changing it, it won't be possible to update other user database using a different password encoding .

evilny0

Joined: 2005-03-22
Posts: 5

Posted: Thu, 2005-03-31 17:14

I did add a $password member to the GalleryUser class (and set/get methods), and it enables me to do what I want.

Does it sounds like a security issue or something ?

valiant

Joined: 2003-01-04
Posts: 32509

Posted: Thu, 2005-03-31 22:36

@module: i see. i've looked into how this could be done and it's straight forward. so there's no need to send me your code. it's great that you've accomplished this though, we now that it isn't that easy to code a G2 module if you've never done it before.

@cleartext password: true. forwarding the password in cleartext during account creation/password change a security risk? depends. if someone wants to change his G2 and trick his users, he can do it anyway. i'd say it'd be good for integrations to have the password available in cleartext during account creation / password changes.

ricobilly20

Joined: 2008-10-13
Posts: 5

Posted: Mon, 2008-10-13 06:45

Dear Evilny0

At the moment i am also trying to add a cleartext to the Mysql Database, but i want to ask which file did you change to enable $password member?.

Thanks
Billy

evilny0 Joined: 2005-03-22 Posts: 5	Posted: Tue, 2005-03-22 17:10
	Hello. I would like Gallery2 to stay in synch with another application user database, without using the "embeded" functionnality. I've read the forum a bit and in a post someone suggested to code a module that would use events to do this from the Gallery side. I've sucessfully implemented a module doing this... except for passwords! The problem is that the "save" event on GalleryUsers only provides the hashedPassword... I can't update the other application with an encrypted password . Do you have any suggestions ? I know I could add a "password" field in every place there is a "hashedPassword" one, but that seems an ugly solution. Note: here the other application is phpBB in case you wonder. I don't want to use embedding, mainly because I don't want people from the forum to know about Gallery (only some people will know). And also because I prefer Gallery to be "alone" visually
	XUser login Username: * Password: * Create new account Request new password
mindless Joined: 2004-01-04 Posts: 8601	Posted: Tue, 2005-03-22 17:39
	there's no reason an embedded G2 needs to have direct links from phpBB or appear as embedded, ie with any phpBB content around it.. you could have G2 appear like it is standalone but still have a login into phpBB also log you into G2.. it's all in how you implement it.

evilny0 Joined: 2005-03-22 Posts: 5	Posted: Wed, 2005-03-23 07:49
	My "problem" is, that I don't like the idea of the "embeded" G2 for my G2. That's a really nice feature, but I really prefer a standalone Gallery using another user database. Why ? Because I want the login to be fully transparent for users : no need to login into another application to use G2. I also noted that for example the personnal watermarks don't appear when in embeded mode. I have already coded a simple php page with calls to the embeded G2, with just a login header a the top of the page using the phpBB database. I could also login into phpBB and use the session for login into G2, that should not be a problem. That's why I implemented a module doing all the work : updating phpBB database when necessary, and also a user management page to add users from phpBB to G2. All of this is greatly working, except for passwords So, I'm looking for a way to modify passwords in other databases when changing it in G2

valiant Joined: 2003-01-04 Posts: 32509	Posted: Wed, 2005-03-23 07:59
	you wrote a G2 module that listens to the create/update/delete user events and sync's to phpbb? i'd be interested in the code as i'e been planning something like that too. our current integration is external App --> G2 (direction of authentication and user management synchronization). i'd be happy to offer a generic module for the other direction as well. as for the passwords: G2 stores its passwords in a md5 hashed format. as far as i know, phpbb also uses md5 hashed passwords, i.e. both applications use the same format and thus you should be able to just copy the passwords from the G2 user into the phpbb user table. but pay attention that the G2 password doesn't get md5 hashed twice when copying it to phpbb, i.e. if there is a function in phpbb that lets you create a user or set the password, then it likely expects a non hashed password, i.e. cleartext. but you'll never get the cleartext password from G2.

evilny0 Joined: 2005-03-22 Posts: 5	Posted: Wed, 2005-03-23 10:05
	valiant wrote: you wrote a G2 module that listens to the create/update/delete user events and sync's to phpbb? i'd be interested in the code as i'e been planning something like that too. I don't do all of this. I just want users in my system to have a unified login, but I don't synch all the users ! . I'll try to explain what I did and make it clear. Sometimes my english is not good enough to explain what i want First of all, my module works like the embedding functionnality. It even calls the same functions as the "embed.php" file (copy/paste, best friend of programmers). That allow me to relate users in phpBB & G2. I made a module that listen to update/delete events. Not create : I only create users in phpBB. When a user is updated, I update the phpBB user database accordingly, based on the external id from the external id map. When a user is deleted, my event listener clears the external id map, like the embed.php does . Anyway, I would be glad to send you the code if you want to take a look at it. It's a bit ugly (database queries in middle of the code with database names, ...), but it's working for my application. valiant wrote: as for the passwords: G2 stores its passwords in a md5 hashed format. as far as i know, phpbb also uses md5 hashed passwords, i.e. both applications use the same format and thus you should be able to just copy the passwords from the G2 user into the phpbb user table. but pay attention that the G2 password doesn't get md5 hashed twice when copying it to phpbb, i.e. if there is a function in phpbb that lets you create a user or set the password, then it likely expects a non hashed password, i.e. cleartext. but you'll never get the cleartext password from G2. That's my problem, I can't get the cleartext password from G2. Why is this a problem ? Because of the password format in G2 ! It's md5 right, but with a 4 characters salt added. In phpBB (i'm using latest stable one, 2.0.13), it's plain md5 with no salt ! Conclusion : if G2 doesn't provide the cleartext password in the event when changing it, it won't be possible to update other user database using a different password encoding .

evilny0 Joined: 2005-03-22 Posts: 5	Posted: Thu, 2005-03-31 17:14
	I did add a $password member to the GalleryUser class (and set/get methods), and it enables me to do what I want. Does it sounds like a security issue or something ?

valiant Joined: 2003-01-04 Posts: 32509	Posted: Thu, 2005-03-31 22:36
	@module: i see. i've looked into how this could be done and it's straight forward. so there's no need to send me your code. it's great that you've accomplished this though, we now that it isn't that easy to code a G2 module if you've never done it before. @cleartext password: true. forwarding the password in cleartext during account creation/password change a security risk? depends. if someone wants to change his G2 and trick his users, he can do it anyway. i'd say it'd be good for integrations to have the password available in cleartext during account creation / password changes.

ricobilly20 Joined: 2008-10-13 Posts: 5	Posted: Mon, 2008-10-13 06:45
	Dear Evilny0 At the moment i am also trying to add a cleartext to the Mysql Database, but i want to ask which file did you change to enable $password member?. Thanks Billy

Password synch with another application

XUser login