Use a user-specific Salt to hash passwords

Wappler General How To
#1

Hi,

I am new to Wappler and I think about coverting an application I wrote (currently Xojo Web2.0) to Wappler.

For better security we currently use a user-specific Salt which is stored in the Database along with the Hash. So when a user tries to login, we grab the Salt for this username from the database, hash the password entered and compare.

It seems to me this is not possible to with a wappler Security Provider as I think it uses the Secret Key to hash the passwords.
Am I correct?

Thank you very much.

Fabian

#2

When you keep the Use Password Hash Verify unchecked the Security Provider doesn’t do any hashing and you can implement your own. Just pass the hashed password with the login, there are several hash formatters available with Wappler.

#3

Hi Patrick,

thanks for your quick response. I think I see now how to do it.

best regards
Fabian

#4

Hi Patrick,

hopefully you can help me once again.
I’ve now setup a security provider of type database.

Identy maps to field id, Username maps to field Login and Passwort maps to field PasswordHash in my Users Table.

Now I made a login API which does a Query to the Users table at first and gets the Field HashSeed which matches the given Username.
Next I added the Security Provider and after this the Security Login.

The Login maps Username to $_POST.username
and the Password to (QueryHashseed.HashSeed+$_POST.password).md5().uppercase()

Is there something wrong in my idea?

Best regards

Fabian

#6

That all looks correct, did you get it working or do you still have some issues with it?

#7

not yet. Can I write content of variables into the debug log?

#8

got it running now. Thanks :wink: