V9: Fix for migration of non-default configurated users/members (#11684)
* https://github.com/umbraco/Umbraco-CMS/issues/11366 Fallback to try login using super legacy HMACSHA1 even when the algorithm is stated as being HMACSHA256. The issue is that v8 saves HMACSHA256 on the user, but when configured to use legacy encoding it actually uses HMACSHA1 * Support migration of members with: UseLegacyEncoding+Clear UseLegacyEncoding+Encrypted (Requires machine key) UseLegacyEncoding+Hashed * Fixes unit tests * Avoid exceptions + unit tests * Save unknown algorithm if we dont know it, instead of persisting a wrong algorithm. * Added setting to enable clear text password rehashes. * Removed support for migration of clear text passwords * Fixed unit test
This commit is contained in:
Bjarke Berg
@@ -96,7 +96,7 @@ namespace Umbraco.Cms.Core.Security
|
||||
string password = _passwordGenerator.GeneratePassword();
|
||||
return password;
|
||||
}
|
||||
|
||||
|
||||
/// <summary>
|
||||
/// Used to validate the password without an identity user
|
||||
/// Validation code is based on the default ValidatePasswordAsync code
|
||||
@@ -205,6 +205,8 @@ namespace Umbraco.Cms.Core.Security
|
||||
|
||||
await lockoutStore.ResetAccessFailedCountAsync(user, CancellationToken.None);
|
||||
|
||||
//Ensure the password config is null, so it is set to the default in repository
|
||||
user.PasswordConfig = null;
|
||||
return await UpdateAsync(user);
|
||||
}
|
||||
|
||||
@@ -234,6 +236,11 @@ namespace Umbraco.Cms.Core.Security
|
||||
// here we are persisting the value for the back office
|
||||
}
|
||||
|
||||
if (string.IsNullOrEmpty(user.PasswordConfig))
|
||||
{
|
||||
//We cant pass null as that would be interpreted as the default algoritm, but due to the failing attempt we dont know.
|
||||
user.PasswordConfig = Constants.Security.UnknownPasswordConfigJson;
|
||||
}
|
||||
IdentityResult result = await UpdateAsync(user);
|
||||
return result;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user