Ktor - checking passwords against wordpress database - wordpress

I'm trying to perform user authentication against a wordpress/Mysql database in ktor. As far as I know, passwords are stored in the wp_users table after a hashing transformation, performed with phpass framework.
Starting from a plain text password, my aim is to compare this password with the hash stored in the database, to understand if I have to authenticate the user or not.
Is there any support between ktor and mysql/wordpress?

Obviously, Ktor itself knows nothing about Wordpress or any other PHP techonology.
Actually, it doesn't know about databases either. There is an Exposed ORM-framework, which is often used in Ktor projects for that. It supports MySQL databases, so it will be suitable in this case too.
But I believe you will have to write this integration by yourself, cause this is a rather exotic combination of technologies (Ktor+Wordpress), and highly unlikely someone else did it before.

I finally made it!
I found out from the documentation that wordpress uses a password hashing function called bcrypt. Then I searched github for a java implementation and I got into this repository by Wolf480pl.
By copying BCrypt.java and PHPass.java files into my project, I just wrote this simple kotlin function to check the match between the hash stored into the database (I used Exposed to connect to the mySQL db) and the plain text password:
fun passwordMatch(password: String, storedHash: String): Boolean {
val checker = PHPass(8)
return checker.checkPassword(password, storedHash)
}
Just that, it works!

Related

How to change encrypted password in context file without using the studio

I am using a group context to configure the db connection. The password of the db has a password type. When deploying the job, the password is automatically encrypted in the default.properties under the contexts folder.
What if i want to change the password without using the studio (on a client environment)? what can i use to encrypt the new password?
I was able to do it by creating a separate encryption job with a tjava component and the following code:
System.out.println(routines.system.PasswordEncryptUtil.encryptPassword(context.Password));
where context.Password is an input context variable of type String. When running the job, the user is prompted to enter a password and then the encrypted Talend password will be printed. It will have the following format: enc:routine.encryption.key.v1:[encryptedPassword] The routine encryption key can be modified if needed by following this link: https://help.talend.com/r/en-US/8.0/installation-guide-data-integration-windows/rotating-encryption-keys-in-talend-studio
There's actually a few ways for this:
myJob.sh --context_param myPassword=pass123
this unfortunately can be seen by anyone via ps / task manager.
You can also edit the contexts/contextName.properties file and change the context parameters there. This way the context can only be seen if you have access to the file.
Theoretically both should be able to accept the cleartext/encrypted password.
Implicit context load feature can also be used to load contexts: https://help.talend.com/r/en-US/8.0/data-integration-job-examples/creating-job-and-defining-context-variables

How encrypt SQLite database with FireDAC?

I'm create SQLite databse with DB Browser for SQLite (non encrypted) and open with FireDAC in delphi.(Can retrive data Eg. Select * from abc).
How encrypt this SQLite database with FireDAC? When enter username, password and encrypt get message "Cipher DB is not encrypdet"
Note:
When create SQLite database from Delphi FireDac I can use encryption!
To encrypt a database, use a TFDSQLiteSecurity Component. You'll also need a TFDSQLitePhysSQLiteDriverLink component to go along with it.
If a database is unencrypted, then its password is ''. So use '' as the OldPassword and create the new password in that case. Passwords are formatted as algorithm:PassPhrase. See documentation on the choices, I use aes-256. Also, the database needs to be closed when you do this.
...
//Change password
FDSQLiteSecurity1.Password := OldPassword;
FDSQLiteSecurity1.ToPassword := NewPassword; // example: 'aes-256:mypassword123'
FDSQLiteSecurity1.ChangePassword;
...
//Remove Password
FDSQLiteSecurity1.Password := OldPassword;
FDSQLiteSecurity1.ToPassword := '';
FDSQLiteSecurity1.RemovePassword;
...
From the Documentation
SQLite Encrypted Database
Approach
One of the distinctive SQLite
features is the high-speed strong database encryption. It allows you
to make database file content confidential and enforce integrity
control on the database file. The encrypted database format is not
compatible with other similar SQLite encryption extensions. This means
that you cannot use an encrypted database, encrypted with non-FireDAC
libraries. If you need to do this, then you have to decrypt a database
with an original tool and encrypt it with FireDAC.
Recent Delphi versions come with an example project for working with encryption on Sqlite databases, see this documentation. I have not used this myself, btw.
It includes this section
Encrypt DB
Encrypt: Encrypts the database according to the Encryption mode and the password provided.
The sampe uses TFDSQLiteSecurity.SetPassword to encrypt the database with the password provided.
The database password is the combination of <encryption algorythm>:<password>.
I have faced several challenges when first time tried to encrypt SQLite database for use with Embarcadero FireDAC. Also all information is published by Embarcadero question pops up again and again on different forums. My case was solved based on community support, but when time has permitted simple Delphi application was assembled and available on Sourceforge. Hope it will make encryption/decryption slightly easier particularly for the newbie
https://sourceforge.net/projects/sqlite-sequrity-for-delphi/

Encrypt alfresco password

I want to encrypt db.username and db.password written in alfresco-global.properties .
Can anyone please help me in this, where that username & password is used so that i can write decryption code there, so that alfresco can understand.
I am using Alfresco 4.2 Enterprise.
Can't you just change permissions on alfresco-global.properties so only the user running the Alfresco JVM can read it ?
Anyways, that said the values are used in tomcat/webapps/alfresco/WEB-INF/classes/alfresco/core-services-context.xml. Create a custom bean baseDefaultDataSource deriving from org.apache.commons.dbcp.BasicDataSource and handle the decryption in that class. Make sure to pass the decrypted value to the jdbc driver. Also make sure the definition gets processed after the defaults kick in. You might want to drop your spring context into tomcat/shared/classes/alfresco/extension.

Qt - How to list all existing databases on PostgreSQL server using Qt interface

Could someone please explain how to obtain a list of all existing databases on a PostgreSQL server, to which the user already has access, using Qt? PostgreSQL documentation suggests the following query:
SELECT datname FROM pg_database WHERE datistemplate = false;
What are the correct parameters to the following functions:
QSqlDatabase::setDatabaseName(const QString & name) //"postgres" or "pg_database"?
QSqlDatabase::setUserName(const QString & name) //actual user name?
QSqlDatabase::setPassword(const QString & password) //no password? or user password?
Much appreciated. Thank you in advance.
You appear to have already answered the first part of your question. Connect to the postgres or template1 database and issue the query you've quoted above to get a list of databases. I'm guessing - reading between the lines - that you don't know how to connect to PostgreSQL to send that query, and that's what the second part of your question is about. Right?
If so, the QSqlDatabase accessor functions you've mentioned are used to set connection parameters, so the "correct" values depend on your environment.
If you want to issue the query above - to list databases - then you would probably want to connect to the postgres database as it always exists and isn't generally used for anything specific, it's there just to be connected to. That means you'd call setDatabaseName("postgres");. Passing pg_database to setDatabaseName would be nonsensical, since pg_database is the pg_catalog.pg_database table, it isn't a database you can connect to. pg_database is one of those odd tables that exists in every database, which might be what confused you.
With the other two accessors specify the appropriate username and password for your environment, same as you'd use for psql; there's no possible way I could tell you which ones to use.
Note that if you set a password but one isn't required because authentication is done over unix socket ident, trust, or other non-password scheme the password will be ignored.
If this doesn't cover your question, consider editing it and explaining your problem in more detail. What've you tried? What didn't work how you expected? Error messages? Qt version?

Crypted passwords in PHP-apis? Twitter?

I'm creating a small service using api-libraries, such as Twitter. Is it possible to input users password to Twitter-api crypted. I would not like to store peoples passwords uncrypted on my server, but writing them every time is annoying.
Does someone know?
Martti Laine
You should consider using OAuth.
Here are some examples.
If you're using PHP you can use the GnuPG extension to easily encrypt any credentials on your side, and decrypting them before making the API calls.
Here's a check list of things you need:
make sure gpg is installed on your system;
create a gpg key pair and store the files on a safe location;
optionally password protect the generated private key;
use PHP's GnuPG extension to encrypt and decrypt data using those keys.
Here's a small PHP example, taken from the gnupg_encrypt() manual:
<?php
$res = gnupg_init();
gnupg_addencryptkey($res,"8660281B6051D071D94B5B230549F9DC851566DC");
$enc = gnupg_encrypt($res, "just a test");
echo $enc;
?>
This technique should also be applied even if you're using OAuth or other password-less authentication method. A common mistake is to use OAuth and not encrypt locally saved tokens as access to those tokens might give anyone the power to act on behalf of the user.

Resources