Migrating user accounts from Symfony2 to Silverstripe 3

Question

I need help on migrating users from a website built using Symfony2 to Silverstripe 3.

I got a table of users from a symfony built website with sha1 hashed passwords and salts. I want to import the users to a freshly setup Silverstripe 3 website. I tried to insert a sample entry to SS3s Member table by manually inserting the hashed password, the salt and changed the password encryption algorithm to sha1 but it didn't work. I also tried using Security::set_password_encryption_algorithm in my _config.php to override the password encryption from blowfish to sha1 but it doesn't seem to change the password algorithm.

I really need help on this since I only have a few days left to deliver the project. Any ideas on how I should do the migration?

Answer 1

You can create your own password "encryptor" classes (not 100% correct naming...) in SS for that. I've had a look at the SF2 implementation, here's an untested starting point. It doesn't check for curly braces in salts.

    <?php
class PasswordEncryptor_Symfony2 extends PasswordEncryptor {
    protected $algorithm = 'sha512';
    protected $iterations = 5000;
    protected $encodeHashAsBase64 = true;
    public function encrypt($password, $salt = null, $member = null) {
        $salted = $password . '{' . $salt . '}';
        $digest = hash($this->algorithm, $salted, true);
        for ($i = 1; $i < $this->iterations; $i++) {
            $digest = hash($this->algorithm, $digest.$salted, true);
        }

        return $this->encodeHashAsBase64 ? base64_encode($digest) : bin2hex($digest);
    }
}

You'll need to register this class via the YML config, in mysite/_config/encryptors.yml:

PasswordEncryptor:
  encryptors:
    symfony2:
      PasswordEncryptor_Symfony2: 

And set it as the default (if so desired) in mysite/_config.php:

Security::set_password_encryption_algorithm('symfony2');

In order to ensure existing hashes migrated from SF2 will be checked with this class, you need to set the PasswordEncryption column in the Member table to "symfony2" (each member has its used encryptor alias set individually to allow for these types of migrations). So any new users created in SS could still use the default SS password hashing ("blowfish" alias).

Answer 2

The symfony2 password encryption does encrypt the password + hash not only once but many times (The default is 5000). Symfony also concatenates the password and the hash like this:

$password . '{' . $salt . '}'

You would need to either reproduce this technique in silverstripe 3 or use the symfony encryption in your Silverstripe 3 application. You can have a look at the implementation when looking at Symfony\Component\Security\Core\Encoder\MessageDigestPasswordEncoder.

Another method would be to reset each password and send an email to every user once the new application is live so the user can add his password. You would not need to migrate the password in this case, which might work better in the long run.