Creating User with already hashed password

[blackeye1987]

Hi everyone,

i want to create a user on the fly with sso,

i recieve the password already hashed and want to save the user without having the password hashed by processwire afterwards.

so far i could leave it rehashed in the database as long as the customer does not want to allow the users to use the direct loginmask.

but if that changes, i would be in trouble.

so is there a processwire way to do this or do i have to put the user in manually.

i know we will have someone intelligent helping me out here

[adrian]

I am not sure I understand completely. Are you actually wanting PW to store the password as plain text, or just return the password as plain text before hashing and saving?

[netcarver]

@blackeye1987

Thanks for posting. Like adrian, I'm not sure I understand what you want to do. When you say "I receive the password already hashed" do you mean that this sso system does its own hashing on account creation and at login and passes those password hashes through to the app (PW in this case) and that you just want to do a compare of their login hash with whatever you stored as the hash verbatim?

[blackeye1987]

well somewhat yes.

i get a user object via xml

<name>username</name>
<password>password</password>

and the password i recieve is already hashed in sha1

so it would be good if i wouldn't need to write an extra login for these people.

[netcarver]

One approach might be to add an extra field to the user template, something like "sso_hash" and have your sso login handler compare against that field. You'd also need it to take similar actions to the ProcessLogin.mondule ___execute() routine in order to setup the session if successful.

If your customer ever wants to allow direct login via PW's login form then they'll have to (at some point) provide you with the un-hashed, raw, passwords for users so that you can set PWs password field with its correctly hashed version of the password. You may want to ask if they will ever be willing to do this because, if they aren't, you may as well use the sso hash as the user password and just live with the double hashing.

[blackeye1987]

jeah i thought about this aswell.

so far they are undecided.

i am quiet sure they will not handle any real passwords to me.

i will keep the double hash.

thanks for the help.

take my likes and feel free to close the thread