Password hash algorithm

I’m looking to be able to use the stored password hashes from discourse in a htpassword file for another app.

What password hashing algorithm does discourse use?

Sorry if I’m misunderstanding, but are you saying you want to effectively copy Discourse’s hashing algorithm to your own app so you can match the hashes your app generates against those stored by Discourse? Wouldn’t this require you to regularly sync the passwords from Discourse to your htpasswd file, handle salts that Discourse may or may not have now or in the future, and keep your implementation of the hashing algorithm in sync with Discourse’s algorithm forever?

Again, sorry if I’m completely misunderstanding, but I had to ask for clarification for my own curiosity.

2 Likes

Just for checking that a user name password is valid.

A user supplies a username and password. We check that the supplied password is valid according to the hash from discourse. We won’t be generating any hashes.

By “generates” I didn’t mean to store, but to validate the password is correct.


I wonder if Discourse has SSO in the opposite direction so that people can sign into other apps using Discourse directly.

2 Likes

Yes, discourse is able to be authoritative for sign-in and this is the correct path @csmu - Attempting to duplicate the hashing method would mean your sign-in method will break every time it changes.

It also wouldn’t account for users who don’t have a local password.

8 Likes

If you’re unwilling or unable to read the source to find the answer to your stated question, it might be best to take a step back and describe what problem you’re trying to solve.

1 Like

I am able to read the source once I find it. I went looking through the source - for user.password - and I concentrated mainly on
the user_controller. Nothing jumped out at me. I’d appreciate any pointers on where to look.

What would work for me for is to be able to validate a user / password through discourse without adding in a sso signin / login. Maybe through the api or a direct call to some ruby code.

Oh. Yeah. Rails only makes sense after you know where stuff is. Here’s this

https://github.com/discourse/discourse/blob/master/app/models/user.rb#L1339-L1342

But I still recommend backing up and describing the problem rather than starting with your solution.

1 Like

Thanks Jay -

After reading

 def confirm_password?(password)
    return false unless password_hash && salt
    self.password_hash == hash_password(password, salt)
  end

in user.rb

the following works for straight ruby validation

user = User.find_by_email('some.email.address')
user.confirm_password?'valid-password'
=> true

I was experimenting with a .htaccess file for a server and I was looking for a way to validate a username / password through discourse for that server without knowing the passwords to generate the .htaccess file. The SSO approach is better and knowing how to validate a user name / password without using SSO will be useful for me.

1 Like

Hi,
I’d be interested in knowing what password hash function and associated parameters (hash length, salt, what actual library is called) are used for local login. Looking at the ruby file mentioned earlier didn’t help me. I’m in need of this info for compliance purposes: best practices around GPDR (and in the general realm of systems security, really) require me to document this information.

Edit: found the answer here: Export password hashes in the PHC formatdiscourse/SECURITY.md at master · discourse/discourse · GitHub

3 Likes