The Foxy forums are on the move!

We're in the process of moving our forums over to a new system, and so these forums are now read-only.
If you have a question about your store in the meantime, please don't hesitate to reach out to us via email.

More problems logging in with FoxyCart Accounts

swensorswensor Member
in Bugs & Feature Requests edited June 2009
Hey,

For the store cgcw.foxycart.com I created these accounts:

riley@utah.edu
joseph.swenson@utah.edu

They were fed into my system, presumably with incorrect hashing. Their logins do not work in my system or in yours, though I am entering the correct password (retrieved via email) and attempting it numerous times. I get a message saying invalid password from both systems. I am supposed to be using SHA1 for the passwords, my guess is the authentication is trying a different algorithm. Any ideas? I need this stuff to work asap.

swensor
Comments
  • brettbrett FoxyCart Team
    Hi swensor.
    I'm sorry for the frustration. We had an issue with the SHA-1 passwords, but we thought it was fully addressed. It seems as though we were wrong.

    Just to make sure, when you're using the API and sending the hashes into FoxyCart, are you sending them as customer_password, or customer_password_hash? The former will hash them _again_, which isn't what you'd want. The latter is how you should send your password hashes into FoxyCart.

    If you're passing them in as customer_password_hash, then... let us know. We'll take a look either way, but we really thought we resolved this one.
  • FWIW, a reminder that this is the same issue I have over in the open thread, "Foxybox and Password Troubles." I'm sending the hashes as "customer_password."
    <form action="https://example.foxycart.com/api"; method="post">
    api action:<input type="text" name="api_action" value="customer_save"/><br/>
    api token: <input type="text" name="api_token" value="--key code here---"/><br/>
    customer:  <input type="text" name="customer_email" value=""/><br/>
    pwd:  <input type="text" name="customer_password" value=""/><br/>
    phone:  <input type="text" name="customer_phone" value=""/><br/>
    company:  <input type="text" name="customer_company" value=""/><br/>
    <input type="submit"/>
    
    </form>
    
  • lukeluke FoxyCart Team
    Hey swensor.

    We just implemented (yet another) fix for 051. It seems to be working as expected now. As I'm sure you know, any passwords setup as MD5 will have to be updated via the API to get them in SHA1 (which should now be working).

    Thank you for your patience. It is beyond what should be expected of anyone.

    If you see any other problems, please let us know and we'll do our best to fix those too.
  • lukeluke FoxyCart Team
    DoubleC: if you want to set the hash directly with the API, send customer_password_hash, otherwise send the clear text password when updating customer_password. You were probably running into the same bug swensor was which should be fixed now.
  • brett: I have a follow-up question to this issue. I'm integrating FoxyCart into a system that's using md5, but the password isn't recognized when you get to the checkout page. Currently I'm setting the customer password for transfer to the api as:
    $foxyData["customer_password"] = md5($password);
    

    Is this the right format? I'd rather not pass in the actual password for security reasons.

    I'm getting an 'Incorrect Password' message when I pass it in this way and then try to log into the cart. Everything else seems to be working ok up until this point. Thoughts?
  • sparkwebsparkweb Member, Integration Developer, FoxyShop, Order Desk
    In this case (according to http://wiki.foxycart.com/v/0.7.2/api#customer) you'd do customer_password_hash:
    The customer_password_hash value: If you do not have the password in cleartext but would like to update the password, pass in customer_password_hash and the customer_password_salt (if applicable per your store's password hashing method. Whether you pass in a customer_password or a customer_password_hash, the end result is the same: A hashed password will be returned on _get requests for the customer_password field.
  • MindSculptMindSculpt Member
    edited February 2012
    sparkweb - Ok, so I was able to get the password thing working (user error on my end). I'm pre-populating all of the checkout fields via the SSO template provided in your wiki, and that works great. When I get to the checkout page, I get the following:
    Your account was found from a previous transaction. Please enter your password below to retrieve your previously saved information.

    When I enter the password, the account is confirmed and ALL of those pre-populated fields reset and clear out. Any ideas why this is happening, and what to do to avoid a reset?

    Not sure if it matters, but in the SSO file I'm sending both of the following values to FoxyCart checkout:
    $foxyData["customer_email"] = 'user_email';
    $foxyData["customer_password_hash"] = 'user_hashed_pwd';
    
  • sparkwebsparkweb Member, Integration Developer, FoxyShop, Order Desk
    @MindSculpt, I think I remember hearing recently that when using SSO the pre-population doesn't work - that the SSO values take precedence. I think if you can put the address values into the user account via the API when setting it up, the address fields show up then. I think what's happening is that first you are passing pre-population data in, but after the SSO happens, it grabs the user account data to load instead (which is blank). I'll let one of the foxy guys confirm, though.
  • MindSculptMindSculpt Member
    edited February 2012
    @sparkweb, Interesting. So are you saying that instead of appending customer params to the SSO redirect URL, add them to the foxyData array?
    $foxyData["customer_first_name"] = '$fname';
    $foxyData["customer_last_name"] = '$lname';
    $foxyData["customer_email"] = '$email';
    

    ...etc, like that? I'm also just a bit confused why checkout is asking for a password if I'm explicitly sending it in @brett

  • sparkwebsparkweb Member, Integration Developer, FoxyShop, Order Desk
    Hmmm.... well now I'm confused. It does appear from the docs at http://wiki.foxycart.com/v/0.7.2/sso#best_practices that you can pre-populate. I guess we'll have to see what the Foxy guys say.
  • @sparkweb Right, because there'd be no reason to pass the params in both ways I'm assuming...
  • lukeluke FoxyCart Team
    @MindSculpt: If you're doing SSO, it should load up the FoxyCart customer and not allow them to input an email address or password at all (unless you're setting the customer id to 0). Are you sending a valid FoxyCart customer id? What store is this for so we can take a closer look? Are you on version 072? We added some logging for 072 that you can see in the "errors" section of the admin which should give you some more info on what's going on concering the SSO. If you're still seeing a customer email and password option on the checkout, it's probably not loading the customer. The point of SSO is that you don't need to pre fill. IF you already know the customer's data, you'd be better off using the FoxyCart API to update that customer record directly and then when they hit the checkout via SSO, their data will be correct.

    If you could whisper us the urls involved as well as a test login and password for your system, that would be helpful.
  • @luke I am using version 072. Just sent you some info via whisper. Thanks!
Sign In or Register to comment.