Exporte hashes de senha no formato PHC

Os detalhes atuais sobre o sistema de armazenamento de senhas do Discourse podem ser encontrados em discourse/docs/SECURITY.md at main · discourse/discourse · GitHub. No momento da escrita deste texto, utilizamos PBKDF2-SHA256 com 600.000 iterações.

Em algumas situações, você pode querer exportar todas as senhas hash do Discourse e importá-las para outro sistema. Por exemplo, você pode estar migrando da autenticação nativa do Discourse para um sistema SSO personalizado. Lembre-se: é impossível extrair as senhas originais do banco de dados, portanto, seu sistema de destino precisa ser capaz de executar o mesmo algoritmo de hash com os mesmos parâmetros.

Os dados de senha são armazenados na tabela user_passwords, que contém as colunas password_hash, password_salt e password_algorithm. A coluna password_algorithm armazena o prefixo completo do algoritmo PHC (por exemplo, $pbkdf2-sha256$i=600000,l=32$), que pode variar por usuário se a contagem de iterações tiver sido aumentada ao longo do tempo.

Você pode usar o Data Explorer para exportar as informações em um formato legível por computador:

SELECT users.id, users.username, up.password_salt, up.password_hash, up.password_algorithm
FROM users
INNER JOIN user_passwords up ON users.id = up.user_id
WHERE users.id > 0

Isso exportará os dados no formato nativo do Discourse. O salt está codificado em hexadecimal e o hash da senha também está codificado em hexadecimal.

Alguns sistemas externos suportam o formato de string PHC, que visa representar a saída de uma função de hash de senha de forma independente do algoritmo. Para o pbkdf2-sha256, essa string contém o tipo de algoritmo, o número de iterações, o salt codificado em base64 e o hash codificado em base64. Felizmente, o Postgres pode lidar com tudo isso para nós em uma única consulta.

Para gerar strings PHC para cada usuário do Discourse, você pode usar uma consulta no Data Explorer como esta:

SELECT users.id, users.username,
  concat(
    up.password_algorithm,
    replace(encode(up.password_salt::bytea, 'base64'), '=', ''),
    '$',
    replace(encode(decode(up.password_hash, 'hex'), 'base64'), '=', '')
  ) as phc
FROM users
INNER JOIN user_passwords up ON users.id = up.user_id
WHERE users.id > 0

Se você usa o Auth0, então use esta consulta em vez da anterior:

SELECT
    user_emails.email,
    users.active as email_verified,
    concat(
        up.password_algorithm,
        replace(encode(up.password_salt::bytea, 'base64'), '=', ''),
        '$',
        replace(encode(decode(up.password_hash, 'hex'), 'base64'), '=', '')
    ) as password_hash
FROM users
INNER JOIN user_passwords up ON users.id = up.user_id
INNER JOIN user_emails 
ON users.id = user_emails.user_id 
AND user_emails.primary IS TRUE
AND users.id > 0

Just a note here that I (with some help from the friendly Auth0 team) ended up tweaking the example query to generate valid PHC strings for importing user passwords into Auth0.

I also encoded the salt as base64 by changing this line

salt,

to

replace(encode(users.salt::bytea, 'base64'), '=', ''),

See further here (including a step by step on how to import Discourse users and their passwords into Auth0).

Thanks @angus - this is interesting because we have had a customer use the query in the OP to successfully import users to Auth0. I wonder if something has changed in their import process - IIRC the ability to import PHC strings to Auth0 was very new back in November

Yeah, I was wondering about that, and thought the same.

I also wasn’t quite sure of the language in the PHC specification. Not sure if this means the salt must be B64 encoded or not.

The salt consists in a sequence of characters in: [a-zA-Z0-9/+.-] (lowercase letters, uppercase letters, digits, /, +, . and -). The function specification MUST define the set of valid salt values and a maximum length for this field. Functions that work over arbitrary binary salts SHOULD define that field to be the B64 encoding for a binary value whose length falls in a defined range or set of ranges.

Sorry for getting off-topic, but has anyone imported password hashes from Auth0 to Discourse? I’m thinking of doing this migration so any help would be appreciated. I’m not a paying Auth0 customer so I just wanted to know if this is feasible before paying for the password hash export.

Thanks.

Importing passwords is not supported by Discourse core, although it might be possible using an adapted version of this third-party plugin:

Thank you! I’ve found the repo on GitHub but not the topic here on meta.

Hey @angus, we’re cleaning things up here.

Is it true that the OP code block should read:

SELECT id, username,
  concat(
    '$pbkdf2-sha256$i=64000,l=32$',
    replace(encode(users.salt::bytea, 'base64'), '=', ''),
    '$',
    replace(encode(decode(password_hash, 'hex'), 'base64'), '=', '')
  ) as phc
FROM users

and include something like:

For more information about importing Discourse passwords to Auth0 see Bulk User Import Custom Password Hash Issue - Auth0 Community.

To move data from Auth0 to Discourse, this might help: Migrated password hashes support.

Yup, that looks good.

You may want to add something in about each import needing specific attention, as the user data being handled will differ depending on the use case, i.e. don’t just copy / paste these queries.

Also, exporting passwords in PHC is not necessarily only for Auth0, so perhaps that should just be refered to as an “example”.

The full query I used for my export was

SELECT
    user_emails.email,
    users.active as email_verified,
    concat(
        '$pbkdf2-sha256$i=64000,l=32$',
        replace(encode(users.salt::bytea, 'base64'), '=', ''),
        '$',
        replace(encode(decode(users.password_hash, 'hex'), 'base64'), '=', '')
    ) as password_hash
FROM users
INNER JOIN user_emails 
ON users.id = user_emails.user_id 
AND user_emails.primary IS TRUE
AND users.id > 0