Reputation: 3262
Generate password_hash which matches Magento Go API
I am trying to authenticate a user through the Magento Go SOAP API and having problems generating a matching hash. According to the docs the password_hash contains password:salt however when I md5 it's not matching the password_hash.
Example:
1) I changed my password through admin control panel to 'testtest'
2) Run the following code:
$client = new SoapClient('http://XXXX.gostorego.com/api/v2_soap/?wsdl');
$session = $client->login($api_user, $api_pass);
$params = array('filter'=>array(array('key'=>'email','value'=>'[email protected]')));
$data = $client->customerCustomerList($session, $params);
echo '<pre>CUSTOMER: '.print_r($data, true).'</pre>';
if (count($data)) {
$hash = explode(':',$data[0]->password_hash);
$salt = $hash[1];
echo '<pre>HASH PARTS:'.print_r($hash, true).'</pre>';
echo '<br>' .md5($salt.$password);
}
3) password_hash is f35604820826428dd7633b91cd6078f4075c9bfa1a37db7bc70f563475ad8495:qK
4) MD5 is 0b04a656c770ba2f10b5918f94529cd8
Upvotes: 1
Views: 1712
Answers (2)
Reputation: 206
On the backend, Both Md5 and SHA are being supported, with newer support leaning towards the SHA (in enterprise).
If your password were: 12341234
The DB Hash would infact be similar to: cdb757ce51af9749d2fabea4cf71dc72a1ec7b8721e5f8de83020f574ca3c5f1:TR
- And is indeed SHA256.
However, the remote connection should be "https:" over SSL for the WSDL file and you should be entering your SOAP API key in normal/plain text. ie:
- $username = "myUsername"; //ie. yourApiUsername
- $password = "myUserPass"; //ie. 12341234
If you want to replicate their hashing for your own internal purposes, you need to look at their methods: class Mage_Core_Model_Encryption
public function hash($data)
{
return md5($data);
}
/**
* Validate hash against hashing method (with or without salt)
*
* @param string $password
* @param string $hash
* @return bool
* @throws Exception
*/
public function validateHash($password, $hash)
{
$hashArr = explode(':', $hash);
switch (count($hashArr)) {
case 1:
return $this->hash($password) === $hash;
case 2:
return $this->hash($hashArr[1] . $password) === $hashArr[0];
}
Mage::throwException('Invalid hash.');
}
Enterprise:
public function hash($data, $version = self::HASH_VERSION_LATEST)
{
if (self::HASH_VERSION_MD5 === $version) {
return md5($data);
}
return hash('sha256', $data);
}
/**
* Validate hash by specified version
*
* @param string $password
* @param string $hash
* @param int $version
* @return bool
*/
public function validateHashByVersion($password, $hash, $version = self::HASH_VERSION_LATEST)
{
// look for salt
$hashArr = explode(':', $hash, 2);
if (1 === count($hashArr)) {
return $this->hash($password, $version) === $hash;
}
list($hash, $salt) = $hashArr;
return $this->hash($salt . $password, $version) === $hash;
}
Upvotes: 0
Reputation: 166156
I've never done this with with Magento Go (and I'm not sure it's supported/possible) but the hash string
f35604820826428dd7633b91cd6078f4075c9bfa1a37db7bc70f563475ad8495:qK
is too long to be a MD5 hash of a string. That's a 64 byte hash (plus the :, plus the salt qK). My guess is it's SHA256, but that's a guess based on character length.
Upvotes: 2
Related Questions
- md5 hashing using password as salt?
- Go x/crypto/bcrypt: Using a custom salt when generating the password hash
- How to get a MD5 hash from a string in Golang?
- Using Go to generate hashed password strings suitable for `/etc/shadow`
- How to create encrypted hash passwords for drupal 7
- Specific md5 hashing scheme in Rails
- Golang Base64 encoded SHA256 digest of the user’s password
- Trouble validating md5 hashed password with randomly generated salt?
- convert plain-text password to MD5 salted hash
- How to get hex-encoded md5 hash in Go