Password Crypt?

  

Hi OS Community,

So I'm facing what is probably a really simple issue - I've created a stack for Registration, using the \System\User entity, and I've added the password field to the form.

Unfortunately however, the passwords are storing in plain text. I can't figure out how, or find where anyone else has faced a similar problem with a solution present, to add the Crypt functionality to get this working properly.


I did see in the documentation a function for Crypto, but am not entirely sure where to integrate that. I did try looking in the documentation provided, but did not see anything pointing how exactly you use the API in the OutSystems software.


Thank you very much for your help, and I look forward to building many applications using OutSystems!

- Landon Wilson

Hello Landon,

When you create a new user in your application (not in the Users application), its your responsibility to store the password salted and hashed.

To do that, just use one of the two actions in the documentation passing as input parameter the plain text password and than assign the result to the password field of the user record you will use as source to the CreateOrUpdateUser entity action to create or update the user.

In case you are developing a Web application, you can take a look into the ChangePassword web block of the Users eSpace.

Here is the code the routine EncryptPassword (Users eSpace) uses to encrypt the password:

If(ForceSecureAlgorithmsInAuthentication or PasswordUpgradeOnLogin,
    If(Site.IncludeUsernameInPasswordHash,
        GenerateSaltedSHA512Hash (Username + Password), 
        GenerateSaltedSHA512Hash(Password)),
    If(Site.IncludeUsernameInPasswordHash,
        GenerateSaltedMD5Hash(Username + GenerateSaltedMD5Hash(PlainTextPassword:Password)),
        GenerateSaltedMD5Hash(Password)))

Hope this helps.

Cheers,
Eduardo Jauch

Hey Eduardo,

Thank you for your help, it is very much appreciated. This makes me believe I've got the right destination, as the functions I chose were correct, I'm just taking the wrong way to get there.

I've worked out, and possibly falsely that-

  1. I need to setup an "Assign" bubble in my SaveOnClick action just before the CreateUser server action is called.
  2. That "Assign" Bubble should take the User.Password variable and the value should be GenerateSaltedMD5Hash(User.Username + User.Password)

But, this leads me to an error because the function isn't defined. So, that lead me to follow a few more steps into the woods -

  1. Firstly, I scoured the documentation again hoping to find some information on how to include and use the API Functions. I couldn't find anything, but maybe I'm just not looking in the right place.
  2. Secondly, I tried using Forge. I couldn't find anything related to the PasswordUtils API I was trying to use, so I figure Forge probably isn't the way to include this.


So I think my question is a little more broader than initially stated - how do I use the API functions? I'm sorry if this is a stupid question or is answered somewhere in the documentation, but I was unable to find it or find a solution by tinkering in the environment itself.


Thanks again for your help!

- Landon Wilson

Landon Wilson wrote:

Hey Eduardo,

Thank you for your help, it is very much appreciated. This makes me believe I've got the right destination, as the functions I chose were correct, I'm just taking the wrong way to get there.

I've worked out, and possibly falsely that-

  1. I need to setup an "Assign" bubble in my SaveOnClick action just before the CreateUser server action is called.
  2. That "Assign" Bubble should take the User.Password variable and the value should be GenerateSaltedMD5Hash(User.Username + User.Password)

But, this leads me to an error because the function isn't defined. 

Hi Landon,

I think I understood your problem.

Let me point you using your bullets:

1. Is exactly like this.
2. use only the User.Password if you are using the standard login.

And now...
Are you referencing the functions in the Dependence Management? Like this?

Yes - I have it selected under the dependency management now, but it's still saying it's unknown, see attached.

Thanks for your help!

Hi Landon,

I see. Are you doing a mobile or web application?

In mobile application I also can't seen to find it when trying to put in a expression/assignment in the screen, even it being marked to be a "function".

But it is available in client action, both as action and as function.

Are you really sure you are referencing it?
Can you provide the OML to take a look?

Cheers,

Eduardo Jauch

I'm creating a mobile application - I've attached the OML file for you to see. The function I am trying to reference under Register Interface in the SaveOnClick Action.

Ok, Finally I got it. :)

It does not work on "Client Actions".
You'll need to transfer your code to a Server Action in order to it to work.

Cheers,
Eduardo Jauch

EDIT: You can create a server action ReturnHashedPass that receives the pass and return it hashed (using the GenerateSalted... function).