magento2: Logging in on frontend of Magento 2.3.2 doesn't seem to work properly after you ran 'bin/magento customer:hash:upgrade'

Preconditions (*)

PHP 7.2.19 where you have the sodium extension installed, and have libsodium >= 1.0.13 (this is very important!)

Steps to reproduce (*)

Have Magento 2.3.1 installed
Create 2 customers in the frontend, remember their passwords
Look into the database to the password_hash column in the customer_entity table, they look something like this: {64-random-chars}:{32-random-chars}:1 Screen1
Upgrade to Magento 2.3.2
Login with the first customer in the frontend
Look at the database again, his password_hash has changed to: {64-random-chars}:{16-random-chars}:2 Screen2
Logout and log back in with the first customer, notice that this works => good
Now, assume you can’t wait on every customer to login to upgrade their password hash and just do it yourself by running bin/magento customer:hash:upgrade
Look at the database again, the password_hash for the second customer has changed to: {64-random-chars}:{32-random-chars}:1:2 Screen3
Now try to login with the second customer on the frontend, this does not work => not good

Expected result (*)

It is expected to be able to login with a customer after you ran bin/magento customer:hash:upgrade

Actual result (*)

You can’t login with a customer after you ran bin/magento customer:hash:upgrade

Discussion

I assume executing bin/magento customer:hash:upgrade upgrades the password_hash to the new algorithm, but not by using the unhashed password, because it can’t know it. Then on the next login of that particular customer, it should detect this because the hash ends with :1:2 and then again re-hash it and change it to just :2. But that doesn’t seem to be working here for some reason. Watch out: I have no idea if this is actually how Magento wanted to implement this, but this makes sense. Unfortunately there seems to be something broken in the implementation.

About this issue

Original URL
State: closed
Created 5 years ago
Reactions: 1
Comments: 28 (18 by maintainers)

Commits related to this issue

Encryptor: fix issue with password validation when we have an old password we need hash the password with all associated versions to follow `customer:hash:upgrade` logic fix #23517 — committed to bchatard/magento2 by bchatard 5 years ago

Most upvoted comments

Hello @magento-engcom-team

Any update on this? We are facing the same issue when migrating from M1.9 CE to M2.3 EE. The issue seems easy to fix

// in \Magento\Framework\Encryption\Encryptor

    public function isValidHash($password, $hash)
    {
        try {
            $this->explodePasswordHash($hash);
            $hashedPassword = $password;
            foreach ($this->getPasswordVersion() as $hashVersion) {
                if ($hashVersion === self::HASH_VERSION_ARGON2ID13) {
                    $hashedPassword = $this->getArgonHash($hashedPassword, $this->getPasswordSalt());
                } else {
                    $hashedPassword = $this->generateSimpleHash($this->getPasswordSalt() . $hashedPassword, $hashVersion);
                }
                $hash = $this->getPasswordHash();
            }
        } catch (\RuntimeException $exception) {
            //Hash is not a password hash.
            $hashedPassword = $this->hash($password);
        }

        return Security::compareStrings(
            $hashedPassword,
            $hash
        );
    }

We need to hash “hashed password” against all hash version to mimic customer:hash:upgrade logic

bchatard on Oct 30, 2019

Hello,

I have a similar issue, when i try to run customer#️⃣upgrade i got this error :

In Address.php line 108:

“Phone Number” is a required value.

does someone has the same issue ?

i trying to migrate magento 1.9.4.2 to 2.4.1 via data migration tool

Regards,

jordanelbaz on Nov 24, 2020

Hello @hostep and @bchatard, @Akki-8388

Sorry for the late response but the only couple of minutes ago I received an update from about status for related internal Jira ticket MC-19686.

At this moment MC-19686 has status: RESOLVED and Resolution: Fixed. It means that fix in the delivery queue and will be delivered soon by an internal Pull Request

sdzhepa on Nov 5, 2019

Hello @hostep

Very good and important question https://github.com/magento/magento2/issues/23517#issuecomment-550377818

I have requested an answer to this question from the internal Magento team members who worked on the fix and waiting for a response now. I will respond here as soon as I have any updates

sdzhepa on Nov 7, 2019

@sdzhepa: can you clarify if you executed customer:hash:upgrade before this fix, if you need to run it again, or if everything is screwed in the database and there is no way of getting the passwords back unless a customer resets his password?

It’s not for me personally, but having this information might be useful for people who actually ran into this problem.

Thanks!

hostep on Nov 6, 2019

Hi @hostep, @bchatard.

Thank you for your report and collaboration!

The issue was fixed by Magento team. The fix was delivered into magento/magento2:2.3-develop branch(es). Related commit(s):

f02cb965d7f0a21404c1e25535f98e74e4b928cd

The fix will be available with the upcoming 2.3.4 release.

magento-engcom-team on Nov 6, 2019