9.1 Bali Security - Get User

9.1 Bali Security - Get User

  
Hi,

In our current implementation, we do a query to get the user record using the GenerateSaltedMD5Hash action. Now it has been deprecated, can you suggest a workaround to get the user record given the username and password?



By the way, we have user records with the same username given that they belong to different tenants.

Regards,
Hi JC,

Are you sure GenerateSaltedMD5Hash has been deprecated? Actually now you can find this in PlatformPasswordUtils extension.

@André: It has been deprecated, though I don't think it has been removed. See here for more information.

@JC: Assuming you're on Bali, change the logic. Since usernames must be unique anyway, search for just the username, then use the new ValidatePassword from the PlatformPasswordUtils extension.

Thanks Kilian. The description of the action should be informing it as well... 

The Breaking Changes notes says: "Until now, passwords were stored using the MD5 chryptographic hash function, which is considered an insecure algorithm. To make it more secure, SHA512 is used with a dynamic salt to generate password hashes. Passwords are automatically upgraded when users log in to the Infrastructure Management Console, Environment Management Console, Development Environment, or to an application via the LoginPassword system action."

Said that, I think a workaround to get the user record would be to use GenerateSaltedSHA512Hash instead GenerateSaltedMD5Hash, since the passwords have been updated to the new encryption.


Thanks Guys for your responses. I already tried these suggestions prior to posting this question.

Here's the thing, we have a two-step authentication wherein on the login page, the user will needs to supply SMS Verification Code prior to logging in. The current logic we did is that the user needs to supply his username and password prior to clicking the 'Get SMS Code' button. We use his username and password (GenerateSaltedMD5Hash) in an Advanced Query to get his unique user record.

Now here are the concerns:

1. I can't use the GenerateSaltedMD5Hash anymore because of the new security change in Bali.

2. I can't use the GenerateSaltedSHA512Hash because it generates dynamic code and I can't use it as a comparison in the Advanced Query.

3. I tried to get the user and then use the ValidatePassword but I just confirmed in our logic that users with the same username can exist provided that they are in a different tenant so it returns False.
Hi JC,

You need to remove the password condition from the query and call the ValidatePassword
for each of the users in a for each. (and hope that 2 users in different tenants don't have the same name and same password).

One of the reason why passwords have a random salt is to avoid attacks that knowing the hash of a password allows to know what usernames matchs to it. So direct comparisons are impossible now.

Regards,
João Rosado
Thanks Joao,

I was actually thinking of doing it that way. I was just checking if there is a better (and easier) way to do it.

Regards,
JC
JC,

Given that two users with the same username may also very well use the same password (even if the chance seems remote, I wouldn't wanna bet on users not using "12345" or "secret" and the like). But since you already seem to have that problem, what João said is probably the best method.
I was wondering why the username cannot be unique (usually it is). So to get the user, you will only need to query by username.. maybe I'm missing something.
He already explained, different tennants.
You can also query by Tenant_Id, so I think different tenants should not be a problem.
You don't know what tennant you need before logging in ;)))