Closed boggodan closed 9 years ago
I've actually fixed it.
I was adding the salt again here:
$passwordDigest = base64_encode(sha1($nonce . $created . $enc_password . "{".$user->getSalt()."}", true));
I changed it to:
$passwordDigest = base64_encode(sha1($nonce . $created . $enc_password, true));
Closing the issue.
Hi,
thanks for this great example that got us started off with WSSE + FOSUserBundle. I'm having an issue however:
By default it seems that the encoder for the user passwords is set to plaintext. I realise that is is generally fine as the passwords are never exchanged except when the user requests a token. However, this still means that the plaintext passwords are in the database, creating a huge vulnerability.
I'm trying to switch my password encoder to sha512. This makes all the users have encrypted passwords, however the created tokens don't seem to be valid anymore. Somewhere there is something lost in translation. What I did was, in my SecurityController:
I then used the encoded password in my digest generation:
My rationale was that it would then generate the token digests based on the password the user provided in their login form encrypted the same way as the one in the database. Then when the user provides their token details again for API access this should match up with the expected digest generated from the already encrypted password in the database. However, it still doesn't work. I always get a 401 response when I use the tokens generated either with or without encrypting the submitted password.
I'd appreciate any help on this issue.
Many Thanks, Bogdan