Password validation not working

knambiar · May 19, 2020, 8:05pm

Hello!

I’m trying to transfer user accounts from our custom Azure SQL database to Auth0 through automatic migration. The custom database uses ASP.NET Identity for authentication. I’m using this login script template.

function fixedTimeComparison(a, b) {
var mismatch = (a.length === b.length ? 0 : 1);
if (mismatch) {
  b = a;
}

for (var i = 0, il = a.length; i < il; ++i) {
  const ac = a.charCodeAt(i);
  const bc = b.charCodeAt(i);
  mismatch += (ac === bc ? 0 : 1);
}

return (mismatch === 0);
}


/**
* validatePassword
*
* This function gets the password entered by the user, and the original password
* hash and salt from database and performs an HMAC SHA256 hash.
*
* @password      {[string]}      the password entered by the user
* @originalHash  {[string]}      the original password hashed from the database
*                                (including the salt).
* @return        {[bool]}        true if password validates
*/
function validatePassword(password, originalHash, callback) {
const iterations = 1000;
const hashBytes = Buffer.from(originalHash, 'base64');
const salt = hashBytes.slice(1, 17);
const hash = hashBytes.slice(17, 49);
crypto.pbkdf2(password, salt, iterations, hash.length, 'sha1', function(err, hashed) {
  if (err) return callback(err);

  const hashedBase64 = Buffer.from(hashed, 'binary').toString('base64');
  const isValid = fixedTimeComparison(hash.toString('base64'), hashedBase64);

  return callback(null, isValid);
});
}

I’ve been getting a 401-Unauthorized error every time I try to log in. It looks like the fixedTimeComparison function returns false. Has anybody run into the same issue?

john.gateley · May 20, 2020, 2:25pm

You can put in some logging (using the Realtime Webtask Logs extension) and that will give you more information on exactly what is failing.

If that isn’t enough to figure it out, pull the code out into your dev environment, try a known password from the DB and see if you can validate it.

John

knambiar · May 21, 2020, 11:43am

Hi John!

I got my login script to work. I changed the validatePassword function to work for ASP.NET Identity Version 3 password formats.

function validatePassword(password, originalHash, callback) {
var iterations = 10000;
var hashBytes = Buffer.from(originalHash, 'base64');
var salt = hashBytes.slice(13, 29);
var hash = hashBytes.slice(29, 61);
crypto.pbkdf2(password, salt, iterations, hash.length, 'sha256', function(err, hashed) 
              {
  							if (err) 
                {        					
    							return callback(err);
  							}
  							var hashedBase64 = Buffer.from(hashed, 'binary').toString('base64');
  							var isValid = fixedTimeComparison(hash.toString('base64'), 
                                                  hashedBase64);

  							return callback(null, isValid);    
							});
}

konrad.sopala · May 21, 2020, 12:34pm

Perfect! Glad to hear that @knambiar!

system · June 5, 2020, 12:42pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Password validation fails in login script for ASP.NET Identity custom database Help password , custom-database , validate , password-hash	2	4712	August 26, 2019
Migrate users from Asp.net Identity to Auth0 Help migrate-users	4	4477	December 14, 2020
Password hashing on custom login script for custom database integration with ASP.NET Membership Provider Help password , custom-database , aspnet , password-hash	2	2849	November 9, 2021
Migrating users from ASP.NET Identity Core (2.0) to Help aspnet-core , migration , user-migration , migrate-users	6	4857	July 28, 2022
Password error in migrate users Help migrate-users	7	3692	May 24, 2020

Password validation not working

Related Topics