Password not encrypted after changing it

[Htbaa]

Hi,

I just installed Directus App and API. Added a new project, deployed schema.sql to the new database. After changing the password of the default admin user I can no longer login. Inspecting the database the password is saved unencrypted, causing login to fail.

This was on Directus 7.4.0.

[rijkvanzanten]

@bjgajjar Even though I can't reproduce it (yet), can we make sure somehow that this doesn't happen in any case? If the hashing fails for some reason, the API should always error out.

A password should never make it to the database in plain text.

[binal-7span]

@rijkvanzanten

Agree with you! This is not reproducible! Password will always store with Hash encryption.

[rijkvanzanten]

(some of the replies didn't transfer over, see https://github.com/directus/app/issues/1656)

[rijkvanzanten]

@Htbaa the schema.sql file seems to be outdated. Running the DB Upgrade from the admin settings menu should solve this for you. We'll get that backup schema.sql updated

[Htbaa]

But the unhashed password was after I updated the account through the app. Or is it because of a schema miss-match that it's not possible to save a hashed password?

[rijkvanzanten]

The schema.sql doesn't use the correct field type for the password field it seems. Installing through the normal install flow populates the database with the correct values. Running the DB upgrade from the admin settings should bump the old installation to the current values.

[christianrr]

I have a similar issue: If I change the password of a user in the "Edit profile" page, the user can no longer login any more.

I can confirm that the changed password is encrypted in the database, however login with the changed password doesn't work...

I copied the password from a text file in order to avoid spelling issues.

[binal-7span]

Hello @christianrr

Kindly remove the interfaces, layouts, and pages directories from /public/extensions/core of API to resolve this issue.

[christianrr]

@bjgajjar Thanks for the hint, for me it was sufficient to delete the passwordsinterface from /public/extensions/core

[binal-7span]

@Htbaa Did you able to resolve the issue? Kindly let us know!

[Htbaa]

@bjgajjar I haven't tried the offered solution. I decided to checkout the latest tagged version which also solved some other weird issues, but haven't tried changing passwords yet though,

[binal-7span]

Please check that once and let us know if the issue occurs still or not. So we can close it.

[binal-7span]

This is not replicated in the latest version so closing this. Feel free to reopen :)