UserManager ValidateCredentials fails for legacy (V7/V8) passwords

umbraco / Umbraco-CMS

Umbraco is a free and open source .NET content management system helping you deliver delightful digital experiences.

MIT License

4.45k stars 2.68k forks source link

Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)

V9 and V10

Bug summary

We upgraded our DB from V7.14.0 to V8.18.5 then V9 and V10.

Our existing members and password hashes were migrated.

We tried to call ValidateCridentials for these members and it always returns false.

Specifics

Umbraco has the MemberPasswordHasher which then calls LegacyPasswordSecurity.

This successfully validates the correct legacy password hash and returns true.

As it's a legacy password the MemberPasswordHasher returns PasswordVerificationResult.SuccessRehashNeeded which seems helpful because it allows you to perform different logic.

But UmbracoUserManager checks this method returns PasswordVerificationResult.Success to determine if the password is valid. Therefore it's always false for every legacy password.

Steps to reproduce

Upgrade a DB that has legacy passwords for members in it.

Attempt to authenticate the migrated passwords on V9 and V10 via IMemberManager ValidateCredentialsAsync.

Expected result / actual result

The MemberManager should check both Success or SuccessRehashNeeded states when validating a password.

If this isn't suitable perhaps there should be a config that allows this check (off by default).

Hi there @busrasengul!

Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.

We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.

We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
We'll replicate the issue to ensure that the problem is as described.
We'll decide whether the behavior is an issue or if the behavior is intended.

We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.

Thanks, from your friendly Umbraco GitHub bot :robot: :slightly_smiling_face:

umbraco / Umbraco-CMS