Hey @adailtonphp,
This is a server error and is normally not related to the plugin itself.
I would encourage you to run the test and then check the logs on your WordPress server and your database for relevant errors.
If you can find a useful error, feel free to share it back here (making sure you redact any private information).
Thanks,
Tom 🙂
Hi @tbenyon
Thanks. I will check the logs.
Att
Hi @tbenyon
Good Morning
I managed to solve the problem of error 500, however, although the test works perfectly, when I test it on the front of the site, I can’t log in with the external bank.
Any idea what it might be?
Thanks
Hey @adailtonphp,
The likely problem is that you have not configured the correct hashing algorithm that the external database uses.
Find out exactly what it does.
If it does not use one of the out of the box hashing algorithms, you can use a plugin hook to replicate the hashing process on the external database.
You can find information about the exlog_hook_filter_authenticate_hash hook in the FAQ.
Here’s a copy of the information . . .
——————————–
You can use this hook to check if the password is correct in a custom way. For example, if you use a hashing algorithm not supported by the plugin by default.
This hook provides you with a range of different information:
– $password – the password that was typed in at the login screen
– $hashFromDatabase – the hash stored in the database
– $username – the username that was typed in in the login screen
– $externalUserData – the rest of the data retrieved from the external database for the user that was found
Returning true will authenticate the user and returning false will treat them as unauthorised.
The below example shows how you could use the filter:
function myExlogHashAuthenticator($password, $hashFromDatabase, $username, $externalUserData) {
return password_verify($password, $hashFromDatabase);
}
add_filter('exlog_hook_filter_authenticate_hash', 'myExlogHashAuthenticator', 10, 4);
———————————–
I think I’ve answered your questions so I’m going to mark this as resolved.
I’m obviously still happy to answer questions though so feel free to keep messaging back if you have more questions about the plugin 🙂
Thanks,
Tom
🙂
Hi @tbenyon
I’m authenticating the user with data from own documents, that is, the field I use for password is not encrypted. For that reason I put NONE Password Hashing.
Question, if I specify that it does not have encryption it should not work?
Thanks
Yep that should work fine.
I should flag at this point that not hashing your usernames passwords is a huge security vulnerability which you could be held liable for if the data was breached.
Can you confirm which database type you are using? SQL?
The next step to try is to add some logs in the main flow.
In external-login/login/authenticate.php you could add the following error logs:
$block_access_due_to_role = true;
foreach ($roles as $role) {
if ($role != EXLOG_ROLE_BLOCK_VALUE) {
$block_access_due_to_role = false;
}
}
error_log('-------------exlog authenticate start--------');
// If a user was found
if ($response) {
error_log('-------------exlog has response --------');
// If role is blocking user access
if ($block_access_due_to_role) {
error_log('-------------exlog has block access due to role --------');
$user = new WP_Error('denied', __("You are not allowed access"));
// If user was NOT authenticated
} else if (!$response["authenticated"]) {
error_log('-------------exlog not authenticated --------');
$error_message = isset($response['error_message']) ? $response['error_message'] : "Invalid username or password";
// User does not exist, send back an error message
$user = new WP_Error('denied', __($error_message));
// If user was authenticated
} else if ($response["authenticated"]) {
error_log('-------------exlog authenticated --------');
// External user exists, try to load the user info from the WordPress user table
$userobj = new WP_User();
$user = $userobj->get_data_by('login', $response['wp_user_data']['username']); // Does not return a WP_User object 🙁
$user = new WP_User($user ? $user->ID : NULL); // Attempt to load up the user with that ID
In external-login/login/validate_password.php you could add the following error logs:
function exlog_validate_password($password, $hash, $user_specific_salt) {
$salt_method = exlog_get_option("external_login_option_db_salting_method");
$algorithm = exlog_get_option("external_login_option_hash_algorithm");
$hash = exlog_should_lowercase_hex_hash($algorithm, $hash);
error_log('-------------exlog start--------');
if ($algorithm == "none") {
error_log('-----------V--exlog was correct--V------');
error_log(var_export($password == $hash, true));
return $password == $hash;
} else if ($algorithm == "phpass") {
You can then check your php error logs to get a better idea of where the flow is coming back.
Feel free to let me know your findings.
IMPORTANT! If you add any logs that store passwords, make sure you don’t share them here and you delete those logs!
Thanks,
Tom
🙂
@tbenyon
I understand the vulnerability and I confess that it is not something I do in production, but I am doing it to show the customer the possibility. Then I will create the encrypted password field in the bank
I use MSSql externally.
The system is not in production yet. We’re running tests.
I will apply the log script.
I’ll test everything and post the result
Thanks
Hi @tbenyon
Good afternoon
`The server and communication problems have been resolved. Now he is logging in but does not keep the login, giving the impression that he is not creating the cookies.
In short, I enter the correct data but is not logging in.
Log follows:
[19-Feb-2021 18:37:39 UTC] ————-exlog start——–
[19-Feb-2021 18:37:39 UTC] ———–V–exlog was correct–none——
[19-Feb-2021 18:37:39 UTC] true
[19-Feb-2021 18:37:39 UTC] ————-exlog authenticate start——–
[19-Feb-2021 18:37:39 UTC] ————-exlog authenticated ——–
Thanks
Hey @adailtonphp,
Another set of logs for you to add to the external-login/login/authenticate.php file:
// If user was authenticated
} else if ($response["authenticated"]) {
error_log('-------------exlog authenticated --------');
// External user exists, try to load the user info from the WordPress user table
$userobj = new WP_User();
$user = $userobj->get_data_by('login', $response['wp_user_data']['username']); // Does not return a WP_User object 🙁
$user = new WP_User($user ? $user->ID : NULL); // Attempt to load up the user with that ID
$exlog_userdata = array(
'user_login' => $response['wp_user_data']['username'],
'first_name' => $response['wp_user_data']['first_name'],
'last_name' => $response['wp_user_data']['last_name'],
'role' => $roles[0],
'user_email' => $response['wp_user_data']['email'],
);
error_log('-------------exlog built user data--------');
// Only update the WordPress user's password if it has changed
// Without this all other sessions for the user gets cleared
$check = wp_authenticate_username_password( NULL, $username , $password );
if (is_wp_error( $check )) {
$exlog_userdata['user_pass'] = $password;
}
error_log('-------------exlog do they already exist??? --------');
// If user does not exist
if ($user->ID == 0) {
error_log('-------------exlog end $user already existed so updating --------');
// Setup the minimum required user information
$new_user_id = wp_insert_user( $exlog_userdata ); // A new user has been created
// Load the new user info
$user = new WP_User ($new_user_id);
} else {
error_log('-------------exlog end $user does not exist so creating --------');
$exlog_userdata['ID'] = $user->ID;
add_filter('send_password_change_email', '__return_false'); // Prevent password update e-mail
wp_update_user($exlog_userdata);
}
$user->set_role($roles[0]); // Wipe out old roles
// Add roles to user if more than one
foreach ($roles as $role) {
$user->add_role($role);
}
// Hook that passes user data on successful login
do_action('exlog_hook_action_authenticated', $user, $exlog_userdata, $response['raw_response']);
}
}
// Whether to disable login fallback with the local WordPress version of the username and password
// Prevents local login if:
// - Disable local login is set in the admin area
// - OR
// - The user was found but the password was rejected
if (exlog_get_option('external_login_option_disable_local_login') == "on" || is_wp_error($user)) {
remove_action('authenticate', 'wp_authenticate_username_password', 20);
remove_action('authenticate', 'wp_authenticate_email_password', 20);
}
}
error_log('-------------exlog end $user --------');
error_log(var_export($user, true));
return $user;
}
Can you confirm if the external user is getting added to the wordpress database?
I’m sure we’ll get there 🙂
Thanks,
Tom
Hi @tbenyon
Good Morning
With the logs I was able to check the error and correct the problem. Thank you very much for the support.
Thanks
Hey @adailtonphp,
That’s great news 🙂
If everything is working for you I’d be grateful if you could write a review or even buy me a beer.
Thanks,
Tom 🙂
@tbenyon
Congratulations and for sure I will be leaving a comment and of course, a beer. 🙂
Hello,
When I want to test the database, the system returns the following error to me:
Error: 500
There was an error on the server.
For DB i use MySQL. What is the solution to this problem?
Hey @alin26,
This is a server error and is normally not related to the plugin itself.
I would encourage you to run the test and then check the logs on your WordPress server and your database for relevant errors.
If you can find a useful error, feel free to share it back here (making sure you redact any private information).
Thanks,
Tom 🙂
