Hi Massimo,
Thanks for explaining all of that.
Please ignore this now as It's working as expected.
tThanks again,
Matt
On Sunday, September 30, 2012 2:01:04 PM UTC+13, Massimo Di Pierro wrote:
>
>
>
> On Saturday, 29 September 2012 18:39:27 UTC-5, Matt wrote:
>>
>> Hi there,
>>
>> The CRYPT function seems to behaving wildly different between 1.99.7 and
>> 2.0.x.
>>
>
> yes. But it is backward compatible. Or at least it should be.
>
>
>> Any new users I've added since moving to 2.0.x are recorded with longer
>> encrypted passwords and existing users consequently can't login either.
>>
>
> This should not be the case. We ran extensive testing to make sure this is
> not the case. The new CRYPT uses a more secure mechanism for new password
> but it still understands existing passwords.
>
>
>> If I run the following (both of these are using the same hmac_key btw) I
>> get two different outcomes.
>>
>> On 1.99.7 calling:
>>
>> value, error = db.auth_user.password.validate('password')
>> print value
>>
>> Returns:
>>
>> --> 87f0d47ce5b9a8faa298d5e28febf693
>>
>> Whereas on 2.0.x calling:
>>
>> value, error = db.auth_user.password.validate('password')
>> print value
>>
>> Returns:
>>
>> -->
>> pbkdf2(1000,20,sha512)$a5408c54281fd146$e6024fe1e813c310e54e29f12113ebdc3eed289b
>>
>> Any feedback on this would be great.
>>
>
> True, but the "value" is not a string in 2.x. value is an object that when
> serialized into a string generates something like
> "pbkdf2(1000,20,sha512)$a5408c54281fd146$e6024fe1e813c310e54e29f12113ebdc3eed289b"
>
> or other depending on the CRYPT parameters. Yet when you compare value with
> an old password as in "87f0d47ce5b9a8faa298d5e28febf693" == value this may
> still be true if the old password corresponds to the same input password.
>
> The internal logic is a little complicated and designed to make sure old
> encrypted password still work after the upgrade. The logic is not fully
> explained here but you can see the CRYPT validator has many doctests that
> explain the various cases.
>
> Yet, I understand that you are having a problem with the upgrade. I would
> like to try reproduce your problem. Any chance you can post an example of
> your db.py so that I generate an account with 1.99.7 and try login with 2.x
> and see what may be causing the problem?
>
> Massimo
>
>
--
