Password validation not working

Hello!

I’m trying to transfer user accounts from our custom Azure SQL database to Auth0 through automatic migration. The custom database uses ASP.NET Identity for authentication. I’m using this login script template.

function fixedTimeComparison(a, b) {
var mismatch = (a.length === b.length ? 0 : 1);
if (mismatch) {
  b = a;
}

for (var i = 0, il = a.length; i < il; ++i) {
  const ac = a.charCodeAt(i);
  const bc = b.charCodeAt(i);
  mismatch += (ac === bc ? 0 : 1);
}

return (mismatch === 0);
}


/**
* validatePassword
*
* This function gets the password entered by the user, and the original password
* hash and salt from database and performs an HMAC SHA256 hash.
*
* @password      {[string]}      the password entered by the user
* @originalHash  {[string]}      the original password hashed from the database
*                                (including the salt).
* @return        {[bool]}        true if password validates
*/
function validatePassword(password, originalHash, callback) {
const iterations = 1000;
const hashBytes = Buffer.from(originalHash, 'base64');
const salt = hashBytes.slice(1, 17);
const hash = hashBytes.slice(17, 49);
crypto.pbkdf2(password, salt, iterations, hash.length, 'sha1', function(err, hashed) {
  if (err) return callback(err);

  const hashedBase64 = Buffer.from(hashed, 'binary').toString('base64');
  const isValid = fixedTimeComparison(hash.toString('base64'), hashedBase64);

  return callback(null, isValid);
});
}

I’ve been getting a 401-Unauthorized error every time I try to log in. It looks like the fixedTimeComparison function returns false. Has anybody run into the same issue?

You can put in some logging (using the Realtime Webtask Logs extension) and that will give you more information on exactly what is failing.

If that isn’t enough to figure it out, pull the code out into your dev environment, try a known password from the DB and see if you can validate it.

John

Hi John!

I got my login script to work. I changed the validatePassword function to work for ASP.NET Identity Version 3 password formats.

function validatePassword(password, originalHash, callback) {
var iterations = 10000;
var hashBytes = Buffer.from(originalHash, 'base64');
var salt = hashBytes.slice(13, 29);
var hash = hashBytes.slice(29, 61);
crypto.pbkdf2(password, salt, iterations, hash.length, 'sha256', function(err, hashed) 
              {
  							if (err) 
                {        					
    							return callback(err);
  							}
  							var hashedBase64 = Buffer.from(hashed, 'binary').toString('base64');
  							var isValid = fixedTimeComparison(hash.toString('base64'), 
                                                  hashedBase64);

  							return callback(null, isValid);    
							});
}
1 Like

Perfect! Glad to hear that @knambiar!