Security provider and hashes with Wappler 3

Wappler General Bugs
#1

Wappler Version : 3
Operating System : Windows 10

Expected behavior

Security provider/login should work with a hash

Actual behavior

When generating a hash (sha256, MD5), login actions are not able to authenticate.
The same action without a hash (any hash) works as expected.
This was working in wappler 2.9

How to reproduce

  • Create a table with a user and password fields.
  • Create a user with a clear password.
  • Create a security provider and login action - authentication works as expected.
  • Use any online hash generator (with or without a salt) and update your user password field in your database.
  • add a filter to your login step to generate the corresponding post password variable and try to authenticate - it fails.
#2

Hi,
There are many different ways that the online tools implements encryptions with salt.
The chances you find one online that encrypts the way Wappler expects is very slim.

For example the only one I found online for SHA256 with salt that is working with Wappler is this one:
https://www.symbionts.de/tools/hash/sha256-hash-salt-generator.html

I have a development sandbox running locally on docker where I have created generators for all the
encryptions I use.

#3

You pointed me in the right direction, thanks - Wappler is not compliant with any hash/cryptographic method - it used to be. By creating a page to insert a user and create the hash within Wappler, I can authenticate since there is a match. However this hash differs from the one you can get via third party tools, who are all congruent.
This means an app create with Wappler with this issue will fail security and compliance standards as it will not match reference standards, including the url you provided.

#4
#5

If you use an encryption function in Wappler without salt, then the hash is equal to the online generators. Only tried with MD5. I don’t think there is a standard on how to salt the hash, but I’m not sure on this.

#6

One more thing,
Normally you get the string from online encoders in uppercase.
Wappler compares to lowercase.

#7

There is no standard on how to use the salt, in Wappler it just adds the salt to the end. So password + salt is the string that is being hashed. Also for the uppercase/lowercase there is no rule, we just use the string as we get it from the hashing function, this can differ in PHP, ASP and nodeJS.

#8
#9
#10