CODEWITHSUNDEEP
xmlmagentoencryptionconfigurationpasswords
Jonathan Day
Jonathan Day

Reputation: 18702

Setting default values for a password field in Magento system configuration

Setting default values for System Configuration fields is well understood (via Chapagain and blog post from @alan storm) but password fields are different because they are encrypted when saved to the database. Hence when Magento reads the default value from the config.xml, it tries to decrypt the value and fails if the default is in plaintext.

Is there an XML helper or process (other than creating a setup script to with $setup->setConfigData('config/path/here', md5('default')) ) to specify these defaults?

Upvotes: 2

Views: 1963

Answers (2)

benmarks
benmarks

Reputation: 23205

It's an interesting question / thought experiment, but the current behavior seems reasonable. If data storage for a value requires encryption, I can't imagine it being appropriate for a functional value to be present in plain text anywhere in the filesystem, whether in config.xml or in an install/upgrade script.

The only other option, encrypting it yourself, is likely undesirable, as you would have to be hand out and therefore be aware of the crypt key value.

Upvotes: 2

Alana Storm
Alana Storm

Reputation: 166156

I'm not 100% sure (this was a quick grep), but I think the password encryption happens in 

File: app/code/core/Mage/Adminhtml/Model/System/Config/Backend/Encrypted.php 
protected function _beforeSave()
{
    $value = (string)$this->getValue();
    // don't change value, if an obscured value came
    if (preg_match('/^\*+$/', $this->getValue())) {
        $value = $this->getOldValue();
    }
    if (!empty($value) && ($encrypted = Mage::helper('core')->encrypt($value))) {
        $this->setValue($encrypted);
    }
}

Remember, this is an encryption, not hashing. Since you're storing a password to use somewhere (payment APIs most often), Magento needs to be able to unscramble what's been scrambled. So you can generate these values using the encrypt method of the core helper. You could also try something like this

$o = Mage::getModel('adminhtml/system_config_backend_encrypted');
$o->setData('value','encrypted or unencrypted value');

$o->beforeSave();     //to encrypt the value

$o->afterLoad();      //to unencrypted the value

$password = $o->getValue();  //fetch the value

Just remember that each store has its own encryption key, so this wouldn't be useful for distributing modules.

You should also look into the backend_model attribute (self link disclaimer, not documented anywhere else on the internet) in config.xml loading and processing.

Hope that helps.

Upvotes: 3

Related Questions