Firespider Posted August 23, 2023 Share Posted August 23, 2023 Hello, I created a login panel, there is a problem with it that I encrypted the passwords, but for some reason passwordVerify is not working. This is the error code Passed unknown hash --Client Side local hashedPass = hash("sha256", Data[1][2]) triggerServerEvent("attemptLogin", resourceRoot, Data[1][1], hashedPass) --Server Side local db = dbConnect("mysql", "dbname=happy life roleplay;host=127.0.0.1;charset=utf8", "root", "", "share=0") addEvent("attemptLogin", true) addEventHandler("attemptLogin", resourceRoot, function(username, pass) local serial = getPlayerSerial(client) local dq = dbQuery(db, "SELECT * FROM accounts WHERE username=?", username) local result = dbPoll(dq, 250) if result then if #result > 0 then local passHashFromDB = result[1]["password"] local passVerified = passwordVerify(pass, passHashFromDB) if passVerified then outputChatBox("Sikerült") else outputChatBox("Nem Sikerült") end else outputChatBox("Nincs ilyen fiók") end else outputChatBox("Nem csatlakozott az adatbázishoz") end end) Link to comment
Balázs1 Posted August 24, 2023 Share Posted August 24, 2023 Hello You have to use the passwordHash function instead of simple hash in the following line: 13 hours ago, Firespider said: local hashedPass = hash("sha256", Data[1][2]) because the two hash method is not equal. https://wiki.multitheftauto.com/wiki/PasswordHash Link to comment
Firespider Posted August 24, 2023 Author Share Posted August 24, 2023 My system says "nem sikerült", so it didn't solve the problem, I'm sending the new code Client local hashedPass = passwordHash(Data[1][2], "bcrypt",{}) triggerServerEvent("attemptLogin", resourceRoot, Data[1][1], hashedPass) Server addEvent("attemptLogin", true) addEventHandler("attemptLogin", resourceRoot, function(username, pass) local serial = getPlayerSerial(client) local dq = dbQuery(db, "SELECT * FROM accounts WHERE username=?", username) local result = dbPoll(dq, 250) if result then if #result > 0 then local passHashFromDB = result[1]["password"] local passVerified = passwordVerify(passHashFromDB, pass) if passVerified then outputChatBox("Sikerült") else outputChatBox("Nem Sikerült") end else outputChatBox("Nincs ilyen fiók") end else outputChatBox("Nem csatlakozott az adatbázishoz") end end) Link to comment
Balázs1 Posted August 24, 2023 Share Posted August 24, 2023 how do you store the passwords in the database? Is it hashed with passwordHash function too? Link to comment
Firespider Posted August 24, 2023 Author Share Posted August 24, 2023 Yes, I store them using the hash principle. And of course I hash the password with passwordHash. I don't know how understandable this is. XD Link to comment
justn Posted August 24, 2023 Share Posted August 24, 2023 The hash is the second argument in 'passwordVerify'. Not the first. So replace with: local passVerified = passwordVerify(pass, passHashFromDB) Link to comment
Firespider Posted August 24, 2023 Author Share Posted August 24, 2023 It's not good, unfortunately. It also says that I am entering the wrong password, but it is exactly the same. Link to comment
Burak5312 Posted August 24, 2023 Share Posted August 24, 2023 (edited) Can you show more of the client side? Edited August 24, 2023 by Burak5312 Link to comment
Firespider Posted August 24, 2023 Author Share Posted August 24, 2023 Here is a larger part of the code, everything that handles registration or login is here. function Login() if Data[1][1] ~= "" and Data[1][2] ~= "" then local hashedPass = passwordHash(Data[1][2], "bcrypt",{}) triggerServerEvent("attemptLogin", resourceRoot, Data[1][1], hashedPass) else LogAlert("EmptyRectangle") end end function Reg() local Empty = false if Data[2][1] == "" or Data[2][2] == "" then Empty = true LogAlert("EmptyRectangle") end if not Empty then if string.len(Data[2][1]) > 3 then if string.len(Data[2][2]) > 3 then if Data[2][2] == Data[2][3] then local hashedPass = passwordHash(Data[2][2], "bcrypt",{}) triggerServerEvent("attemptReg", resourceRoot, Data[2][1], hashedPass) else LogAlert("NotMatch") end else LogAlert("ToShortPass") end else LogAlert("ToShortUS") end end end addEvent("Alert", true) function LogAlert(response) if (isTimer(ErorrTimer)) then killTimer(ErorrTimer) end if response == "EmptyRectangle" then Problem[1] = "Töltsd ki az összes kis rublikát" elseif response == "NoMatch" then Problem[1] = "Nem egyeznek a jelszavak" elseif response == "ToShortUS" then Problem[1] = "Túl rövid a felhasználó neved" elseif response == "ToShortPass" then Problem[1] = "Túl rövid a jelszavad" end ErorrTimer = setTimer(function() Problem[1] = "" end, 3000, 0) end Link to comment
Burak5312 Posted August 24, 2023 Share Posted August 24, 2023 triggerServerEvent("attemptLogin", resourceRoot, Data[1][1], hashedPass) local passVerified = passwordVerify(passHashFromDB, pass) you are comparing hash to hash this function asks for the password in plain text so don't encrypt it on client side --local hashedPass = passwordHash(Data[1][2], "bcrypt",{}) --this Link to comment
Addlibs Posted August 24, 2023 Share Posted August 24, 2023 (edited) You should not be hashing the password on the client side: function Login() if Data[1][1] ~= "" and Data[1][2] ~= "" then local hashedPass = passwordHash(Data[1][2], "bcrypt",{}) -- this is wrong triggerServerEvent("attemptLogin", resourceRoot, Data[1][1], hashedPass) else LogAlert("EmptyRectangle") end end passwordHash generates a new salt, a salt that does not match with the salt saved on the database, meaning the results will never match. Indeed, you can try this yourself: local inputPassword = "somesecretpassword123" local hash1 = passwordHash(inputPassword, "bcrypt", {}) -- pretend this one is saved on the database some time ago local hash2 = passwordHash(inputPassword, "bcrypt", {}) -- pretend this one was just hashed now -- Note the following will never match: print(hash1) print(hash2) -- What you're doing: passwordVerify(hash2, hash1)) -- note, hash2 is not a password but the result of passwordHash given the input password -- What you should be doing: passwordVerify(inputPassword, hash1) -- this is how passwordVerify is supposed to be called Thus, you should have the following in the clientside: function Login() if Data[1][1] ~= "" and Data[1][2] ~= "" then triggerServerEvent("attemptLogin", resourceRoot, Data[1][1], Data[1][2]) else LogAlert("EmptyRectangle") end end And keep the current serverside the same. Edited August 24, 2023 by Addlibs Link to comment
Firespider Posted August 25, 2023 Author Share Posted August 25, 2023 Should I also change it during registration? @Addlibs Now it always says that I'm typing correctly, but not XD Link to comment
Firespider Posted August 25, 2023 Author Share Posted August 25, 2023 I tried to solve it so that it only succeeds if it is equal, but that's not good either, because the hash will always be different when I press the button and so it doesn't match the database. Link to comment
Firespider Posted August 25, 2023 Author Share Posted August 25, 2023 -- Szerveroldali kód local db = dbConnect("mysql", "dbname=happy life roleplay;host=127.0.0.1;charset=utf8", "root", "", "share=0") addEvent("attemptLogin", true) addEventHandler("attemptLogin", resourceRoot, function(username, pass) local dq = dbQuery(db, "SELECT * FROM accounts WHERE username=?", username) local result = dbPoll(dq, 250) if result then if #result > 0 then local hash1 = passwordHash(pass, "bcrypt", {}) -- pretend this one is saved on the database some time ago local hash2 = passwordHash(pass, "bcrypt", {}) -- pretend this one was just hashed now print(hash1) print(hash2) local passVerified = passwordVerify(pass, hash1) if passVerified and hash1 == result[1]["password"] then print("Sikerült") else print("Nem Sikerült") end else outputChatBox("Nincs ilyen fiók") end else outputChatBox("Nem csatlakozott az adatbázishoz") end end) addEvent("attemptReg", true) addEventHandler("attemptReg", resourceRoot, function(username, pass) local serial = getPlayerSerial(client) local dq = dbQuery(db, "SELECT * FROM accounts WHERE serial=?", serial) local result = dbPoll(dq, 250) if result and #result > 0 then outputChatBox("Felhasználó már létezik.") else dbExec(db, "INSERT INTO accounts (username, password, serial) VALUES (?, ?, ?)", username, hash2, serial) outputChatBox("Sikerült") end end) Link to comment
Addlibs Posted August 25, 2023 Share Posted August 25, 2023 (edited) Don't generate a new passwordHash on login. passwordHash should be used when registering, and only once; the result should be saved in the database. When logging in, take that hash (which includes a salt) and use passwordVerify of the input password against the saved hash. What this does internally is take the salt from the hash and similarly hash the input password, using the salt from the database hash, to come up with the exact same resultant hash if the provided plain text password is correct, or a different hash if it isn't (the result of the comparison of these hashes is the boolean return from passwordVerify). -- ... local passHashFromDB = result[1]["password"] local passVerified = passwordVerify(pass, passHashFromDB) if passVerified then print("Sikerült") else print("Nem Sikerült") end -- ... Also, don't trust the client to hash the password! The server should generate the hash in the server-side handling of the registration event: -- client side function Reg() local Empty = false if Data[2][1] == "" or Data[2][2] == "" then Empty = true LogAlert("EmptyRectangle") end if not Empty then if string.len(Data[2][1]) > 3 then if string.len(Data[2][2]) > 3 then if Data[2][2] == Data[2][3] then triggerServerEvent("attemptReg", resourceRoot, Data[2][1], Data[2][2]) else LogAlert("NotMatch") end else LogAlert("ToShortPass") end else LogAlert("ToShortUS") end end end -- server side addEvent("attemptReg", true) addEventHandler("attemptReg", resourceRoot, function(username, pass) local serial = getPlayerSerial(client) local dq = dbQuery(db, "SELECT * FROM accounts WHERE serial=?", serial) local result = dbPoll(dq, 250) if result and #result > 0 then outputChatBox("Felhasználó már létezik.", client) else if (not result) then -- abort function early to avoid inserting duplicate accounts!! outputDebugString("DATABASE LOOKUP FAILED: Aborting registration for " .. username .. "/" .. serial) return end dbExec(db, "INSERT INTO accounts (username, password, serial) VALUES (?, ?, ?)", username, passwordHash(pass, "bcrypt", {}), serial) outputChatBox("Sikerült", client) end end) I added an extra early-abort code, but this should not be used in production! Change this to use callbacks. Your existing code, if it failed to retrieve results within 250ms, would create duplicate accounts, because result would be nil (i.e. result not ready) so the "Felhasználó már létezik." output would not be run. Also, there is no checking for duplicate account names right now (only duplicate serial check); depending on how you set up your DB tables, this may still result in duplicate account names, or the DB will reject the insertion but the user will be told registration was successful. You may want to fix that. Edited August 25, 2023 by Addlibs Link to comment
Firespider Posted August 25, 2023 Author Share Posted August 25, 2023 Thanks! but passwordVerify still gives false Link to comment
Firespider Posted August 27, 2023 Author Share Posted August 27, 2023 Can you help someone? Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now