Jump to content

PasswordVerify Problem passes unkown hash


Firespider

Recommended Posts

Hello, I created a login panel, there is a problem with it that I encrypted the passwords, but for some reason passwordVerify is not working.
This is the error code
Passed unknown hash
--Client Side

local hashedPass = hash("sha256", Data[1][2])
triggerServerEvent("attemptLogin", resourceRoot, Data[1][1], hashedPass)
--Server Side
local db = dbConnect("mysql", "dbname=happy life roleplay;host=127.0.0.1;charset=utf8", "root", "", "share=0")

addEvent("attemptLogin", true)
addEventHandler("attemptLogin", resourceRoot, function(username, pass)
    local serial = getPlayerSerial(client)
    local dq = dbQuery(db, "SELECT * FROM accounts WHERE username=?", username)
    local result = dbPoll(dq, 250)
	
    if result then
        if #result > 0 then	
            local passHashFromDB = result[1]["password"]
            local passVerified = passwordVerify(pass, passHashFromDB)
            if passVerified then
                outputChatBox("Sikerült")
            else
                outputChatBox("Nem Sikerült")
            end
        else
            outputChatBox("Nincs ilyen fiók")
        end
    else
        outputChatBox("Nem csatlakozott az adatbázishoz")
    end	
end)

 

Link to comment
My system says "nem sikerült", so it didn't solve the problem, I'm sending the new code
Client
local hashedPass = passwordHash(Data[1][2], "bcrypt",{})

triggerServerEvent("attemptLogin", resourceRoot, Data[1][1], hashedPass)

Server
 

addEvent("attemptLogin", true)
addEventHandler("attemptLogin", resourceRoot, function(username, pass)
    local serial = getPlayerSerial(client)
    local dq = dbQuery(db, "SELECT * FROM accounts WHERE username=?", username)
    local result = dbPoll(dq, 250)
	
    if result then
        if #result > 0 then	
            local passHashFromDB = result[1]["password"]
            local passVerified = passwordVerify(passHashFromDB, pass)
            if passVerified then
                outputChatBox("Sikerült")
            else
                outputChatBox("Nem Sikerült")
            end
        else
            outputChatBox("Nincs ilyen fiók")
        end
    else
        outputChatBox("Nem csatlakozott az adatbázishoz")
    end	
end)

 

Link to comment
Here is a larger part of the code, everything that handles registration or login is here.
 
function Login()
    if Data[1][1] ~= "" and Data[1][2] ~= "" then
        local hashedPass = passwordHash(Data[1][2], "bcrypt",{})

        triggerServerEvent("attemptLogin", resourceRoot, Data[1][1], hashedPass)
    else
        LogAlert("EmptyRectangle")
    end
end

function Reg()
    local Empty = false

    if Data[2][1] == "" or Data[2][2] == "" then
        Empty = true
        LogAlert("EmptyRectangle")
    end

    if not Empty then
        if string.len(Data[2][1]) > 3 then
            if string.len(Data[2][2]) > 3 then
                if Data[2][2] == Data[2][3] then
                    local hashedPass = passwordHash(Data[2][2], "bcrypt",{})
                    triggerServerEvent("attemptReg", resourceRoot, Data[2][1], hashedPass)
                else
                    LogAlert("NotMatch")
                end
            else
                LogAlert("ToShortPass")
            end
        else
            LogAlert("ToShortUS")
        end
    end
end





addEvent("Alert", true)


function LogAlert(response)
if (isTimer(ErorrTimer)) then
	killTimer(ErorrTimer)
end
    if response == "EmptyRectangle" then
        Problem[1] = "Töltsd ki az összes kis rublikát"
    elseif response == "NoMatch" then
        Problem[1] = "Nem egyeznek a jelszavak"
    elseif response == "ToShortUS" then
        Problem[1] = "Túl rövid a felhasználó neved"
	elseif response == "ToShortPass" then
        Problem[1] = "Túl rövid a jelszavad"			
    end
	
	ErorrTimer = setTimer(function()
		Problem[1] = ""
	end, 3000, 0)
end

 

Link to comment
triggerServerEvent("attemptLogin", resourceRoot, Data[1][1], hashedPass)

local passVerified = passwordVerify(passHashFromDB, pass)

you are comparing hash to hash this function asks for the password in plain text so don't encrypt it on client side

--local hashedPass = passwordHash(Data[1][2], "bcrypt",{}) --this

 

Link to comment

You should not be hashing the password on the client side:

function Login()
    if Data[1][1] ~= "" and Data[1][2] ~= "" then
        local hashedPass = passwordHash(Data[1][2], "bcrypt",{}) -- this is wrong

        triggerServerEvent("attemptLogin", resourceRoot, Data[1][1], hashedPass)
    else
        LogAlert("EmptyRectangle")
    end
end

passwordHash generates a new salt, a salt that does not match with the salt saved on the database, meaning the results will never match. Indeed, you can try this yourself:

local inputPassword = "somesecretpassword123"
local hash1 = passwordHash(inputPassword, "bcrypt", {}) -- pretend this one is saved on the database some time ago
local hash2 = passwordHash(inputPassword, "bcrypt", {}) -- pretend this one was just hashed now

-- Note the following will never match:
print(hash1)
print(hash2)

-- What you're doing:
passwordVerify(hash2, hash1)) -- note, hash2 is not a password but the result of passwordHash given the input password

-- What you should be doing:
passwordVerify(inputPassword, hash1) -- this is how passwordVerify is supposed to be called

Thus, you should have the following in the clientside:

function Login()
    if Data[1][1] ~= "" and Data[1][2] ~= "" then
        triggerServerEvent("attemptLogin", resourceRoot, Data[1][1], Data[1][2])
    else
        LogAlert("EmptyRectangle")
    end
end

And keep the current serverside the same.

Edited by Addlibs
Link to comment
-- Szerveroldali kód
local db = dbConnect("mysql", "dbname=happy life roleplay;host=127.0.0.1;charset=utf8", "root", "", "share=0")

addEvent("attemptLogin", true)
addEventHandler("attemptLogin", resourceRoot, function(username, pass)
   
    local dq = dbQuery(db, "SELECT * FROM accounts WHERE username=?", username)
    local result = dbPoll(dq, 250)
	
    if result then
        if #result > 0 then	
            
		local hash1 = passwordHash(pass, "bcrypt", {}) -- pretend this one is saved on the database some time ago
		local hash2 = passwordHash(pass, "bcrypt", {}) -- pretend this one was just hashed now
		print(hash1)
		print(hash2)

           local passVerified = passwordVerify(pass, hash1)
            if passVerified and hash1 == result[1]["password"] then
                print("Sikerült")
            else
                print("Nem Sikerült")
            end
        else
            outputChatBox("Nincs ilyen fiók")
        end
    else
        outputChatBox("Nem csatlakozott az adatbázishoz")
    end	
end)


addEvent("attemptReg", true)
addEventHandler("attemptReg", resourceRoot, function(username, pass)
    local serial = getPlayerSerial(client)
    local dq = dbQuery(db, "SELECT * FROM accounts WHERE serial=?", serial)
    local result = dbPoll(dq, 250)
    if result and #result > 0 then
        outputChatBox("Felhasználó már létezik.")
    else
		
		
        dbExec(db, "INSERT INTO accounts (username, password, serial) VALUES (?, ?, ?)", username, hash2, serial)
        outputChatBox("Sikerült")
    end
end)

 

Link to comment

  

Don't generate a new passwordHash on login. passwordHash should be used when registering, and only once; the result should be saved in the database. When logging in, take that hash (which includes a salt) and use passwordVerify of the input password against the saved hash. What this does internally is take the salt from the hash and similarly hash the input password, using the salt from the database hash, to come up with the exact same resultant hash if the provided plain text password is correct, or a different hash if it isn't (the result of the comparison of these hashes is the boolean return from passwordVerify).

-- ...
            local passHashFromDB = result[1]["password"]
            local passVerified = passwordVerify(pass, passHashFromDB)
            if passVerified then
                print("Sikerült")
            else
                print("Nem Sikerült")
            end
-- ...

Also, don't trust the client to hash the password! The server should generate the hash in the server-side handling of the registration event:

-- client side
function Reg()
    local Empty = false

    if Data[2][1] == "" or Data[2][2] == "" then
        Empty = true
        LogAlert("EmptyRectangle")
    end

    if not Empty then
        if string.len(Data[2][1]) > 3 then
            if string.len(Data[2][2]) > 3 then
                if Data[2][2] == Data[2][3] then
                    triggerServerEvent("attemptReg", resourceRoot, Data[2][1], Data[2][2])
                else
                    LogAlert("NotMatch")
                end
            else
                LogAlert("ToShortPass")
            end
        else
            LogAlert("ToShortUS")
        end
    end
end

-- server side
addEvent("attemptReg", true)
addEventHandler("attemptReg", resourceRoot, function(username, pass)
    local serial = getPlayerSerial(client)
    local dq = dbQuery(db, "SELECT * FROM accounts WHERE serial=?", serial)
    local result = dbPoll(dq, 250)

    if result and #result > 0 then
      outputChatBox("Felhasználó már létezik.", client)
    else
      if (not result) then
        -- abort function early to avoid inserting duplicate accounts!!
        outputDebugString("DATABASE LOOKUP FAILED: Aborting registration for " .. username .. "/" .. serial)
        return
      end
      dbExec(db, "INSERT INTO accounts (username, password, serial) VALUES (?, ?, ?)", username, passwordHash(pass, "bcrypt", {}), serial)
      outputChatBox("Sikerült", client)
    end
  end)

I added an extra early-abort code, but this should not be used in production! Change this to use callbacks. Your existing code, if it failed to retrieve results within 250ms, would create duplicate accounts, because result would be nil (i.e. result not ready) so the "Felhasználó már létezik." output would not be run.

Also, there is no checking for duplicate account names right now (only duplicate serial check); depending on how you set up your DB tables, this may still result in duplicate account names, or the DB will reject the insertion but the user will be told registration was successful. You may want to fix that.

Edited by Addlibs
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...