The Foxy forums are on the move!

We're in the process of moving our forums over to a new system, and so these forums are now read-only.
If you have a question about your store in the meantime, please don't hesitate to reach out to us via email.

Saving passwords from MODx Rev

eclipsetalkeclipsetalk Member
in Help edited December 2011
Hello,
I'm synchronizing Modx users with FC users. I'm using the 0.7.2 since there is a RSA PBKDF2 for password hashing setting.
To save password should I use:
- $foxyData["customer_password"] = $password;
or
- $foxyData["customer_password_hash"] = $password;

If I want to update an existing user can I use:
$foxyData["api_action"] = "customer_save";
Will it override the values I'm setting or is there an "customer_update" function?

Thanks for your help
Comments
  • lukeluke FoxyCart Team
    Hello eclipsetalk.

    If you're sending the clear text password, then you'd want to update the customer_password. If you're sending the hash, you'll want to update the hash. Keep in mind you'll also have to send the customer_password_salt as described here: http://wiki.foxycart.com/v/0.7.2/api#customer

    As for customer_save, yes, that is correct. All of the "_save" api calls do either an update or an insert depending on if the record already exists. The values that you pass in will overwrite the values already there, otherwise everything will remain as it already is in the database.
  • Thanks Luke -
    Regarding saving password in MOdx Rev, to recap I should do the following, correct?

    // Get password
    $password = $modx->user->get('password');
    .......

    // Save password in FC
    $foxyData = $password;
    $foxyData = $password;

    Thanks
  • lukeluke FoxyCart Team
    Sorry, I'm not familiar enough with MODx inner workings to know what comes back from a user get('password'). My hunch is that it would just be the hash though... which means the salt would be separate, correct?

    Can someone more familiar with MODx chime in?
  • eclipsetalkeclipsetalk Member
    edited December 2011
    Could anyone please share how to synchronize password with MODX REv 2.x and FoxyCart 7.0.2. I tried using a combincation of:
    - $foxyData = $password;
    - $foxyData = $password;
    but when I checkout the password is not recognized.
    Thanks for sharing
  • fc_adamfc_adam FoxyCart Team
    @eclipsetalk,

    Can you check to see if this returns anything?
    $modx->user->get('salt');
    
  • lukeluke FoxyCart Team
    Did you understand my previous reply? Setting the salt to the password won't get you what you're looking for. The salt and the hash are two completely different things. The salt, combined with the clear-text password used to generate the hash of the password. All you need is the salt and the hash in order for FoxyCart to verify the clear-text password when it is entered by the customer.
  • eclipsetalkeclipsetalk Member
    edited December 2011
    fc_adam:
    $modx->user->get('salt');
    
    returns a valid value.

    Luke: Sorry I'm still confused. Thanks to bear with me...
    $password = $modx->user->get('password');
    
    returns the user's encrypted password.
    I understand that I need the clear text password and the salt value to generate the encrypted password in MODx Rev. My problem is when I synchronize fc users and MODX users. I get the MODx encrypted password via
    $password = $modx->user->get('password');
    
    but which fields do I need to update on the fc side. I tried this but it doesn't seem to work:
    $foxyData['customer_password_hash'] = $password;
                $foxyData['customer_password_salt'] = $salt;
    

    Thanks for your help.
  • lukeluke FoxyCart Team
    edited December 2011
    Did you obtain
    $salt
    
    via
    $salt = $modx->user->get('salt');
    
    ?

    It sounds like the problem here has to do with obtaining the correct password hash and the correct salt out of the MODx system. For those questions, their forum might be a little more helpful. The RSA PBKDF2 implementation is relatively new on our side so if there's a problem, we definitely want to know about it. If you have a temporary or test password hash and salt you can share with us, we can test from our end as well if that would be helpful. Since we aren't seeing your full script, it's hard to know what else might be causing you trouble here.
  • Thanks for your help. I thought I could get the plain text from the hash in MODx but salt is one way algorithm. I solved it by using the same salt value as MODX and saving the password in plain text.
  • brettbrett FoxyCart Team
    @eclipsetalk, can you perhaps share the relevant MODX code on pastie.org or something? I'll check with the MODX guys too, as I can't find documentation to get the salt, but I'm assuming it's there somewhere.

    Salting and hashing is a little confusing, but the key is that FoxyCart and MODX both need to have the same salt value for each user's password or it simply won't work. We'll help you figure it out, but let us see what you have (and whether or not it's working). (Specifically, you could look in your MODX database, get the stored password value for a user with a known password (like your own user), and whisper that to one of us along with the salt value (again, also in the database) and the cleartext password. Then we can look in your store's records to see if that customer was synched correctly.)
  • eclipsetalkeclipsetalk Member
    edited January 2012
    Sure here it is http://pastie.org/3109958
    This is a MODx Rev plugin that listens to system events "OnUserChangePassword" and "OnUserSave"

    Thanks to let me know if you see anything odd.
  • eclipsetalkeclipsetalk Member
    edited January 2012
    Hi,
    I'd like to post again regarding the password synchronization issues between MODx Rev and fc as I haven't heard anything for a few weeks now.
    It works fine when I synchronize passwords from MODx and then create a corresponding user in FC via the FC APIs. Upon checkout via SSO, the user is already logged in to FC and all address fields are pre-populated.
    However I still have a problem when a client goes to FC first and purchase a product. At that time I create a corresponding MODx user, set the salt value from fc to MODx without problem but then I can't seem to be able to set the right password field.

    In MODX 2.1+, users are created by default with the a hashing algorithm called PBKDF2. To set MODx password field in the database, one needs to change the hash_class specified for the user from hashing.modPBKDF2 to hashing.modMD5. Then one can use the native MD5() function to set the value of the password field appropriately. Here is an example MySQL UPDATE statement:

    UPDATE modx_users SET hash_class = 'hashing.modMD5', password = MD5('password-text') WHERE username = 'theusername';

    Obviously I can't use the code above since I don't have access to the plain text password.

    I tried the following but it doesn't work:

    $fcPassword = $foxyData['customer_password'];
    or
    $fcPassword = $foxyData['customer_password_hash'];

    $modx->user->set('password', $fcPassword) ;

    The problem is that MODX expects a plain text password with the api user->set('password', $fcPassword) and it encrypts the fc password which is already encrypted.
    I hope I made myself understood. Please let me know if it's not clear.
    Thanks for any input and help you can share...



  • lukeluke FoxyCart Team
    Eclipsetalk, I'm sorry you haven't gotten the response you need. Have you tried asking in the MODx forums directly? We have support for their PBKDF2 algorithm which we added in 072. If you create a user in MODx and have access to that user's hash and salt, that should be all you need to synchronize that user with FoxyCart. You wouldn't need the clear text password. Does that make sense? If there's something broken with our implementation of PBKDF2, we'll definitely get it fixed, but from the tests we've done, it seems to be working correctly. Do you have a salt and hash that isn't working or are you just trying to figure out how to access the hash and salt via MODx?
  • Thanks for the reply.
    The problem is that in MODx one has only access to the salt and password, not the hash.
    I'll ask in the MODx forum and I hope I can be proven wrong :-). I need that hash value....
  • lukeluke FoxyCart Team
    You're saying you get access to the clear text password? If so, you can always generate the hash again, correct?
  • No not the clea-text password.
    $modx->user->get('password'); returns the encrypted password but I don't know how to get the hash....
  • brettbrett FoxyCart Team
    edited January 2012
    Hi @eclipsetalk. Sorry for the delay.

    I asked the MODX guys and these are the relevant calls:
    $modx->user->get('salt');
    $modx->user->get('hash');

    But in order for FoxyCart to recreate the hash, you need the unhashed (cleartext) password + salt, not the hashed password + salt. The latter is useless as you cannot recreate the hash from the salt without the cleartext password.

    Also:

    $modx->user->get('hash_class');

    Which will return "hashing.modPBKDF2" or "hashing.modMD5"
    Does that help? I don't have a Revo install to mess with, so I don't know how ->get('password') and ->get('hash') differ (if at all). I'm assuming that they're the same thing, since the "encrypted password" you mention _is_ the hash. Hashing is one-way encryption, fwiw. Worth understanding, if you have some time, since it's pretty fun stuff.
  • Thanks Brett and Luke for the explanation.
    I'll give it another try this week. I'll keep you posted.
  • eclipsetalkeclipsetalk Member
    edited January 2012
    My findings with MODX Rev and FC password integration for those who care:

    I cannot synchronize passwords with MODX for users created first in FC via the datafeed.

    The problem with MODX is that I cannot set a password_hash value.

    - The api $modx->user->set('password', "clear-text-password"); expect a clear-text password and then encrypt it with the salt value. The password value I get from FC is already encrypted therefore useless.

    - The salt value returned in FC and MODX are identicals.

    By the way $modx->user->get('hash'); returns nothing...
  • lukeluke FoxyCart Team
    Thanks for following up. Have you posted in the MODx forums about these issues and limitations?
  • brettbrett FoxyCart Team
    @eclipsetalk, wondering if you could link me to any threads you hit on the MODX forum. I'd definitely like to ping them about this, as it seems like it shouldn't be too big a deal for them to extend the MODX API a little bit to allow this. Also, it seems like a necessary improvement.
  • No I don't have any links as I didn't get any response from the MOdx forum...
  • lukeluke FoxyCart Team
    @eclipsetalk I think @brett is asking if you could provide us with a link to the post you made on the modx forums so we can continue the discussion there. If no one responded to your post, we'd like to be the first to try. :) Without a link, it will be difficult for us to find.
  • gearvyllcgearvyllc Member
    In case other Modx users find this thread, whenever Modx switched to the "hashing.modNative" hash class, they went to the PHP native function for password_hash() at least as of v2.7;

    MODX v2.7 or June 2018 and later versions
    https://github.com/modxcms/revolution/commits/39691fd0649ceb0e3d6c2349d82b7fa0fbb487ec/core/model/modx/hashing/modnative.class.php

    PHP Docs - https://www.php.net/manual/en/book.password.php

    If a new user begins a transaction in FoxyCart, and you want to create the user in Modx using the username and password they created in FoxyCart:

    1. Make sure "FoxyCart Admin > Advanced settings > customer password hash type" is set to "BCrypt (with cost)"
    2. Create the user first with the $modx api and save the new ID (Hard coded in the example, but would be the result of the create)
    3. Run a manual update statement with $modx->query();
    4. User can now log into Modx with the same Username/Password as FoxyCart

    Example:
    $newUserId = 99;
    $passwordHash = $foxy['passwordHash'];
    $passwordSalt = $foxy['passwordSalt'];
    $sql = "UPDATE `modx_users` SET `password` = '$passwordHash', `salt` = '$passwordSalt' WHERE `id` = '$newUserId'";
    $update = $this->modx->query($sql);


  • brettbrett FoxyCart Team
    Thanks so much @gearvyllc for posting this. Greatly appreciated!
Sign In or Register to comment.