tbenyon

Hey Ray,

Regarding the “Undefined index: role” I believe this is only a warning and not throwing an error but I may be wrong? This should not be displaying in the front end. If it is, you probably should make sure it doesn’t show these warnings on your production site.

I think this is because you haven’t set up table mapping for the role field in for the external database in the External Login settings.
We can test this is true by, setting it to a random field in your users table which should disregard this issue I think. Foe example, set it to the field that stores the username.

To avoid this warning for the future I’ll also add some safeguards so that that data isn’t required.

Unless I misunderstood you though it does sound like the functionality is working as you would expect?

1. User logs in with correct password from external database and gains access
2. user logs out
3. password is changed in external database
4. User tries to log in with old (incorrect) password in WP and does not get logged in
5. User uses the new (correct) external password to login and gains access to WP

Is this the flow you expected?

Thanks Ray,

Tom 🙂

Yeah, reading your message again. If it’s working for the first time now, and you remove that cock up discussed above does it now start to work?

Hey @julian45123,

Apologies for the delayed response. It’s been a busy week.

From looking at this the example you sent the solution is incredibly custom and uses an md5 hash as it’s core (not bcrypt).

When it ‘encrypts’ the password it is definitely doing it in a custom way. It appears to be hashing the typed in password then storing the a jumble of the hash where the second set of 16 characters are placed on the front and the first set at the back. It then uses a salt and a static key which is being used like a second salt.

You can still make this work with the plugin using a hook.
If you go to the FAQ and look at the exlog_hook_filter_authenticate_hash hook there’s some instruction in there about how to write your custom hashing algorithm.

Essentially you’ll have to replicate the logic that your custom setup uses to return true or false in the hook.

Hey @vcomgrp,

Apologies for the delayed response. Yes it can but just requires the use of a filter your end.

If you go to the FAQ and look at the exlog_hook_filter_authenticate_hash hook there’s some instruction in there about how to write your custom hashing algorithm.

I have not tested this code but yours would look something like this:

function myExlogHashAuthenticator($password, $hashFromDatabase, $username, $externalUserData) {
    $calculatedHash = $password;
    for ($i = 1; $i <= 20; $i++) {
        $calculatedHash = hash('sha512', $calculatedHash);
    }
    return $hashFromDatabase == $calculatedHash;
}
add_filter('exlog_hook_filter_authenticate_hash', 'myExlogHashAuthenticator', 10, 4);

Let me know how you get on 🙂

Apologies for the delayed response 🙂

Sorry if this is too much information but by writing this all out may help you help me solve the problem if your technically minded but I’m mostly doing it to remind me of my thought process as I come back to look at this issue.

So the code we’re looking at is basically the oldest in the plugin. It comes from the article I’ve credited as being the original source for the concept. I can see better ways of handling this whole section but until I finish the work on bettering testing I don’t want to make large changes to this core logic as there are over 1000+ users depending on it for authentication of their apps.

I think that we can be happy that the following line is returning false:

$user = $userobj->get_data_by('login', $response['username']); // Does not return a WP_User object 🙁
This is because it cannot determine a user from your WordPress database. This means the user with the username ‘fredbloggs’ does not exist in your users table in the user_login field. However I believe you said it does so can you please double check this.

The strange thing that I can’t replicate is that your code is throwing an error because the ID does not exist on the $user property but althought this is true, I’ve not had any other users report this error blocking their login.

I was wondering if you’re running a very old version of PHP but I’m not sure.

NEXT STEP:
Can you please replace this code block where I have added a couple of extra safeguards that may allow your implementation to function. It is the whole else if block:

            } else if ($response["exlog_authenticated"]) {
                // External user exists, try to load the user info from the WordPress user table
                $userobj = new WP_User();
                error_log('EXLOG START>>>>>>>>>>>>>>>>>>>>>>>>>>>>>');
                error_log('EXLOG resp >>>>');
                error_log(var_export($response, true));
                $user = $userobj->get_data_by('login', $response['username']); // Does not return a WP_User object 🙁
                error_log('EXLOG user >>>>');
                error_log(var_export($user, true));
                $user = false;
                if ($user) {
                    $user = new WP_User($user->ID); // Attempt to load up the user with that ID
                }

                $exlog_userdata = array(
                    'user_login' => $response['username'],
                    'first_name' => $response['first_name'],
                    'last_name'  => $response['last_name'],
                    'user_pass'  => $password,
                    'role'       => $roles[0],
                    'user_email' => $response['email'],
                );

                // If user does not exist
                if (!$user || $user->ID == 0) {
                    // Setup the minimum required user information

                    $new_user_id = wp_insert_user( $exlog_userdata ); // A new user has been created

                    // Load the new user info
                    $user = new WP_User ($new_user_id);
                    error_log('EXLOG HERE1');

                } else {
                    $exlog_userdata['ID'] = $user->ID;

                    add_filter('send_password_change_email', '__return_false'); // Prevent password update e-mail

                    wp_update_user($exlog_userdata);
                    error_log('EXLOG HERE2');

                }

                $user->set_role($roles[0]); // Wipe out old roles

                // Add roles to user if more than one
                foreach ($roles as $role) {
                    $user->add_role($role);
                }

                // Hook that passes user data on successful login
                do_action('exlog_hook_action_authenticated', $user, $exlog_userdata);
                error_log('EXLOG END>>>>>>>>>>>>>>>>>>>>>>>>>>>>>');
            }

Thank you for your patience,

Tom 🙂

Hey @fefo1983,

Firstly thank you for the beer!!! Really appreciated 🙂 Made my day. You’ll be glad to know it will be spent on a BrewDog order 🙂

So the plugin will achieve half of what you’re looking for and I think could potentially tie in nicely if you code the rest of the flow.

To break down your bullets to the three steps:

1. This is achievable with the plugin. You would just set the plugin to not use a hashing algorithm so that the plain 4 digit code would be validated against the database
2. Yes the plugin will create a user account, and it will use the 4 digit code as the password and hash that into the database. However, it does not have any functionality to force the user to change their password. I will talk about what you could to to solve this step below
3. The plugin has a setting called migration mode that will solve this problem for you. It means that if the user already exists in the local database they will not be searched for again in the external database.

A way you could solve the missing part of the flow you want to achieve…
The plugin uses WordPress’ ‘authenticate’ hook to validate and return the user to log them in. You could add a custom hook to the ‘wp_login’ hook that would:

1. Check if there is a meta data field for the user that just logged in to say they’ve setup their new password
2. Redirect them to change their password if they haven’t set it up. Once they have, add a flag for this user

There are probably a lot of plugins that will do this for you. I can’t say if they’re any good but I found a couple that you could try if you’re happy to use those. You could see how they behave with External Login?

• https://wordpress.org/plugins/new-user-password-reset/
• https://github.com/lumpysimon/wp-force-password-change

Let me know your thoughts . . .

🙂

That’s brilliant @stikekar!!!

Well done for getting it resolved!

Yeah, there’s a couple of fixes in the pipeline. Started a new job recently so haven’t come round to update but I will continue to support the plugin 🙂

Money received. That was very generous of you and much appreciated.

If you have any more issues don’t hesitate to get back in contact.

Kind regards,

Tom