tbenyon

Hey Wayne,

I think I may have found the issue if your hashing algorithm is set to ‘none’.
The issue is in the following file in the plugin:
login/validate_password.php
Current line:
if ($algorithm == "bcrypt" || $algorithm == "phpass" || $algorithm == "phpcrypt") {

The line should read:
if ($algorithm == "bcrypt" || $algorithm == "phpass" || $algorithm == "phpcrypt" || $algorithm == "none") {

If you can test this that’d be great.

You could also prove this is correct by typing in a completely lower case version of the password as this should authenticate you.

I’m going to get this fix into the next release 🙂

Hey @metapost,

Does your external system support different roles?

If you are happy that all the users that get authenticated with External Login are given the same role in WordPress, you can use the Unspecified Role feature.
“This is default role that will be assigned to users who don’t match a following role mapping.”

This way you can make all users come through as ‘Editor’ or subscriber or whatever you fancy 🙂

Let me know if this answers your question.

Thanks,

Tom

Hey @mainpagepl,

Thanks for the detailed posts.

Just wanted to let you know I’m not ignoring you and am just struggling to find the time to properly look into this.

I’m hoping to get this resolved this weekend.

Will keep you posted but feel free to chase me on Monday if you haven’t heard back 🙂

Tom

Hey Amit,

Thanks for the link as I am unfamiliar with Blesta.

Blesta use a very custom system as outlined here:

Before a password is hashed using bcrypt, however, it is hashed using HMAC SHA-256. The HMAC SHA-256 process produces a 256-bit (64-hexadecimal character) string, which is then hashed using bcrypt. This extra step provides additional security for short passwords, extremely long passwords (see denial of service), and dictionary attacks.

I actually feel their attempt to be more secure by adding in a two step system is far less secure than requiring a better password from their users and would in fact cause little additional benefit. However, this is not the topic for discussion.

The flat answer is that the plugin currently doesn’t support this as it is such a custom solution. I have a task in my backlog to create a hook so that you could add a custom hashing solution in your functions.php file.

I will bump it up the list and will leave this thread open so I can update you when I get round to adding this feature. I’ll also try to add an example code snippet that you would need to add to your functions.php file.

To assist me doing this, could you please create a new user in your Blesta system with the password “password1” so that I can test the solution locally for you.

Thanks Amit,

Tom

Hey @rapideyemovement,

Really glad it’s all working 😊.

I’d really appreciate it if you could take the time to write a one line review:
https://wordpress.org/support/plugin/external-login/reviews/#new-post

Thanks,

Ton

Hey Jim,

The code is now deployed.

Version 1.7.1:
– Fixed broken logo icon in production build
– Added ability to login with e-mail address or password on mysql databases

A review would be much appreciated when you get the time.

Thanks,

Tom

This has only stopped working since this update? Please try and download the copy from wordpress.org from the admin area of your site and see if this fixes it.

If not, could you please look at your php error logs and send me any issues you see.

Thanks,

Tom

Hey @jmock,

This is now complete and deployed.

Could you please test it and let me know if it is working as you expected.

Thanks,

Tom