Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password hashing #10926

Merged
merged 10 commits into from Dec 2, 2016
Merged

Password hashing #10926

merged 10 commits into from Dec 2, 2016

Conversation

tsteur
Copy link
Member

@tsteur tsteur commented Dec 1, 2016
edited by mattab

See #10740 which implements the password hashing. On top I have added a commit to use md5 for tokens and to no longer show tokens in user management

Follows up #5728

tsteur and others added 7 commits November 30, 2016 15:25
@tsteur
do no longer return token in api
3804840
@tsteur
fix various tests
f8135b1
@tsteur
fix system test
ab74261
@tsteur
fix system test
4cfe760
@tsteur
added changelog entry
b27c4d2
@mneudert @tsteur
Updates password/token_auth hashing (#10740)
c2d50bd 
* converts user.password to VARCHAR(255)

* re-hashes existing passwords with bcrypt

* re-hashes legacy password after first login

* converts user.token_auth to CHAR(64)

* creates/updates users with randomized token_auth

* performs authentication for getTokenAuth

* hides password change confirmation for modern token_auth

* shows authentication token on personal settings page

* adds hint about token regeneration to api page

* allows users to regenerate their token_auth

* allows admins to regenerate users token_auth

* cleans up unused "use" statements

* extracts password interaction to separate class

* improves "password changes token" confirmation wording

* bumps version to 3.0.0-b4

* requires confirmation before token regeneration

* cleans up testing environment (passwords / tokens)

* removes Password class from UsersManager model
@tsteur
keep using md5 tokens for now, remove tokens from user management
4754717
@tsteur
Copy link
Member Author

tsteur commented Dec 1, 2016

@mattab the tests should work after the latest commit. I have not updated the screenshots that fail because of this change (valid changes) because I don't want to risk any merge conflicts. We can update them later.

@tsteur tsteur added the Needs Review PRs that need a code review label Dec 1, 2016
@tsteur tsteur added this to the 3.0.0-b4 milestone Dec 1, 2016
@tsteur
Copy link
Member Author

tsteur commented Dec 1, 2016

Kudos to @mneudert for this 👍

@tsteur tsteur added the not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. label Dec 1, 2016
@mattab mattab mentioned this pull request Dec 1, 2016
Closed
@mattab mattab mentioned this pull request Dec 1, 2016
Closed
@mattab mattab merged commit a903831 into 3.x-dev Dec 2, 2016
@mattab mattab deleted the password3x branch December 2, 2016 04:08
@mattab
Copy link
Member

mattab commented Dec 2, 2016

🎉 important security improvement now merged in Piwik 3 🎉

@mattab mattab mentioned this pull request Dec 2, 2016
Closed
@kachenjr kachenjr mentioned this pull request Dec 9, 2016
Closed
@lelutin lelutin mentioned this pull request Apr 3, 2017
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Needs Review PRs that need a code review not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.
Projects
None yet
Milestone
3.0.0-b4
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@tsteur @mattab @mneudert