Customer WebService passwd encrypt

[radell]

Hello everyone,

I'm trying to perform an authentication from an app against the Prestashop webservice. I already have access to the webservice and I have access to the emails and encrypted passwords of the custommers.

My problem is that assuming that the password is 123456, I do not know how to encrypt it to compare it with the encrypted prestashop.

I have searched and read in many post that the way to do it is using md5 (cookierkey_ + password) I have tried it that way but the result it gives me is not like anything that is saved bbdd prestashop.

the function of md5 returns something like: f01e5b4d319dba0b6d41ec601d7720fd but the encryption format in bbdd is something like: $2y$10$36OeM33DN5zqrKWMnXqgz.RDzVorpZDl3do3UaRuhwDhlXsOh.jwO It is not an encrypted format of type MD5.

Can somebody help me? Is Thirty Bees modifying / adding an additional encryption because md5 is no longer secure?

Thank you very much

[gonssal]

@radell Hi there.

md5 was the old, insecure way of hashing passwords. The legacy code is still present, but right after a user with an old hash logs in, it is converted to the new format, that uses the built-in PHP function password_hash, as follows: php password_hash($password, PASSWORD_BCRYPT) In the same way, to verify a password you should use the password_verify function: php password_verify($provided_password, $user_password_in_db) Needless to say, if there's still any user with the old md5 hash, the password verification will return false.

[radell]

Thank you very much for the reply,

As I thought, md5 is obsolete and the encryption has changed.

So, is there any way of knowing what type of encryption the function uses: passwordhash ($password, PASSWORDBCRYPT) to do the same in angular and in this way to be able to compare if the password of the app is the same as that of bbdd?

Or I have to create a new controller in prestashop to pass the password and check it with passwordverify ($providedpassword, $userpasswordin_db)

[gonssal]

@radell As can be seen in the password_hash function call's second parameter, the type of encryption (hashing, really) is bcrypt, which is an open specification. I'm pretty sure there's plenty of libraries for javascript and probably even some Angular-specific ones for it.

[radell]

Thank you very much for your help.

The problem I really had is that I could not see the code, I only have access to the webservice. That's why I've had so many problems to know what kind of encryption that function used on the inside.

I really appreciate your help. Problem fixed.