Dashboard Error logging seems to of stopped

danielpinfold · November 13, 2023, 9:14pm

Hi, i was testing my database action script earlier today (midday uk time) and getting “Failed Login (wrong password)” errors as my database action script is clearly wrong.

i’ve returned this evening to take another look but i can’t seem to get any authentication errors to log in monitoring → logging area (i’ve always recieved 401 unauthorized on the dashboard on every attempt). Is there a temporary issue with logging for some reason? It’s tricky to fix my script with no way of seeing what is happening My script is below if anyone can point out a simple problem. I’m connecting to an azure database. Thanks.

function login(userNameEmail, password, callback) {
  //this example uses the "tedious" library
  //more info here: http://pekim.github.io/tedious/index.html
  var Connection = require('tedious@1.11.0').Connection;
  var Request = require('tedious@1.11.0').Request;
  var TYPES = require('tedious@1.11.0').TYPES;
  
  var connection = new Connection({
    userName: 'theusername',
    password: 'thepassword',
    server: 'serveraddress',
    options: {
      database: 'databasename',
      encrypt: true,
      rowCollectionOnRequestCompletion: true
    }
  });
  
  const crypto = require('crypto');
  function hashPassword(password, salt) {
    // the default implementation uses HMACSHA256 and since Key length is 64
    // and default salt is 16 bytes, Membership will fill the buffer repeating the salt
    
    const hmac = crypto.createHmac('sha256', Buffer.from(salt));
    hmac.update(Buffer.from(password, 'ucs2'));
    return hmac.digest('base64');
  }
  const hash = hashPassword(password, "thesalt");
  
	var query = "SELECT *" +
	  "FROM Punter P WITH (NOLOCK)" +
	    "WHERE (username = @userNameEmail OR emailAddress = @userNameEmail ) AND " +
	    "passwordHash = @passwordHash "
  
  connection.on('debug', function (text) {
    // Uncomment next line in order to enable debugging messages
     console.log(text);
  }).on('errorMessage', function (text) {
    console.log(JSON.stringify(text, null, 2));    
    return callback(text);
  }).on('infoMessage', function (text) {
    // Uncomment next line in order to enable information messages
     console.log(JSON.stringify(text, null, 2));    
  });
  connection.on('connect', function (err) {
    if (err) { return callback(err); }
    var request = new Request(query, function (err, rowCount, rows) {
      if (err) {
        callback(new Error(err));
      } else if (rowCount < 1) {
        callback(new WrongUsernameOrPasswordError(userNameEmail));
      } else {
        bcrypt.compare(password, rows[0][2].value, function (err, isValid) {
          if (err) { callback(new Error(err)); }
          else if (!isValid) { callback(new WrongUsernameOrPasswordError(userNameEmail)); }
          else {
            callback(null, {
              user_id: rows[0][0].value,
              email: rows[0][1].value
            });
          }
        });
      }
    });
    request.addParameter('userNameEmail', TYPES.VarChar, userNameEmail);
    request.addParameter('passwordHash', TYPES.VarChar, hash); 
    connection.execSql(request);
  });
}

danielpinfold · November 13, 2023, 10:04pm

In fact i think logging is working! it’s just that logs only happen when I attempt to login through my application running in dev on my machine.

So the problem is I can’t seem to compute the same hash that my original application (.net c# website) created when when i populated my user store. (i’m using custom database for authentication stored in azure mssql)

How can I match compute the same hashes in my action script? here is my .net code

using System.Security.Cryptography;
using System.Text;

public Punter Login(string UserName, string Password, int bookmakerId)
{
    var hmac1 = ComputeHMAC_SHA256(Encoding.UTF8.GetBytes(Password),  Encoding.ASCII.GetBytes(ConfigurationManager.AppSettings["Salt"]));
    string tmpPassword = Convert.ToBase64String(hmac1);    
    new punter pnt = _dataAccess.Login(UserName, tmpPassword, bookmakerId);            
    
}

public static byte[] ComputeHMAC_SHA256(byte[] data, byte[] salt)
{
    using (var hmac = new HMACSHA256(salt))
    {
        return hmac.ComputeHash(data);
    }
}

danielpinfold · November 13, 2023, 10:20pm

Well managed to fix it by adding this to my script

    ......
    hmac.update(Buffer.from(password));
    return hmac.digest();
  }
  
  function base64Encode(bytes) {
    return Buffer.from(bytes).toString('base64');
  }  
  
  const hash = base64Encode(hashPassword(password, "thesalt"));
  
	var query = "SELECT *" +
	  "FROM Punter P WITH (NOLOCK)" +
       ........

now the hashes match from my existing database and the computed one from my script

5ItyzSrv/ITmiPJZi0g3nINoOsUBT0Wxru9ggZynImI=
5ItyzSrv/ITmiPJZi0g3nINoOsUBT0Wxru9ggZynImI=

so it should work right? but still getting unauthorized and logging of incorrect password. Any ideas