Unecrypted password API call

jd6strings · June 28, 2017

I've written API code to access user login info BUT I'm dire need of using the system hash to decrypt the user password to plaintext. Is there an API call that can be used to pass in the encrypted client password and our system has and return plaintext?

I'm making my call like this...

$client_login_password = exec("php index.php api/encryption/systemDecrypt.json -u api_user -k XXXXXXXXXXXXXXXXXXXXXXXXX -m GET -p \"value=" . $client_login_password . "\"");

Tyson · June 29, 2017

Why are you trying to get plain-text user passwords? You are aware of the security implications of this, correct? No one should ever know what someone's password is except for that person.

User login passwords cannot be decrypted because they were never encrypted to begin with. They are hashed, and that hash only works one way, so you will not be able to retrieve the plain-text version of the password from it.

It would be helpful to know what you're trying to accomplish here as there may be a better design you can employ to achieve it.

Blesta Addons · June 29, 2017

your system how store password ? in clear text plain ?

Paul · June 29, 2017

Could you provide more information about what you're trying to accomplish? We may have some recommendations. Since user passwords are hashed though, using bcrypt HMAC SHA-256 hashes they are not reversible. If they were reversible, it would be considered a security risk. Even MD5 is not reversible, but it's considered weak due to collisions and rainbow tables.

jd6strings · June 29, 2017

On 6/29/2017 at 1:30 AM, Tyson said:

Why are you trying to get plain-text user passwords? You are aware of the security implications of this, correct? No one should ever know what someone's password is except for that person.

User login passwords cannot be decrypted because they were never encrypted to begin with. They are hashed, and that hash only works one way, so you will not be able to retrieve the plain-text version of the password from it.

It would be helpful to know what you're trying to accomplish here as there may be a better design you can employ to achieve it.

Expand

We're trying to migrate to a different system and we were trying to keep user logins the same...

Paul · June 29, 2017

On 6/29/2017 at 2:01 AM, jd6strings said:

We're trying to migrate to a different system and we were trying to keep user logins the same...

Expand

It's not possible. Why would you want to migrate away from Blesta anyway? :blesta:

Your users will have to reset their passwords.

Tyson · June 29, 2017

Send everyone an email saying system changes necessitate they reset their password, then provide them a link to reset it.

jd6strings · July 3, 2017

On 6/29/2017 at 8:56 PM, Tyson said:

Send everyone an email saying system changes necessitate they reset their password, then provide them a link to reset it.

Expand

That's what we're going to do.

Another question...where in the API can I get a list of credits that a client may have on their account?

Michael · July 3, 2017

On 7/3/2017 at 8:35 PM, jd6strings said:

That's what we're going to do.

Another question...where in the API can I get a list of credits that a client may have on their account?

Expand

I have a question why are you asking a company you are moving from to help you move to your own system?

If I hosted with you, would you help me migrate to GoDaddy or another webhost? Or a ISP would you help me migrate to Verizon or Level3?

jd6strings · July 3, 2017

Unfortunately I tried very hard to keep Blesta in our system. Unfortunately I don't have a say. Furthermore we continue to pay for licensing so why am I not untitled to support?

Tyson · July 3, 2017

Credits aren't stored, they're derived from the transactions that exist on a client's account that have not yet been applied to an invoice. You can fetch them via the API Transactions::getCredits.

jd6strings · July 5, 2017

On 7/3/2017 at 11:45 PM, Tyson said:

Credits aren't stored, they're derived from the transactions that exist on a client's account that have not yet been applied to an invoice. You can fetch them via the API Transactions::getCredits.

Expand

THANK YOU!!!

One last question...

I'm attempting to get the client autodebit settings from the API and I'm using the getSetting($client_id, $key) method. It seems to be returning all the settings including those that are inherited. I would expect that it would return the value for autodebit only if I'm passing that in as the $key parameter. Is this not the case?

Thanks again for the great support! I love Blesta and I am disappointed that I am forced to migrate away to a less user friendly platform...

jd6strings · July 5, 2017

On 7/5/2017 at 1:27 PM, jd6strings said:

THANK YOU!!!

One last question...

I'm attempting to get the client autodebit settings from the API and I'm using the getSetting($client_id, $key) method. It seems to be returning all the settings including those that are inherited. I would expect that it would return the value for autodebit only if I'm passing that in as the $key parameter. Is this not the case?

Thanks again for the great support! I love Blesta and I am disappointed that I am forced to migrate away to a less user friendly platform...

Expand

Disregard! I figured it out!

Blesta Addons · July 6, 2017

On 7/5/2017 at 1:27 PM, jd6strings said:

Thanks again for the great support! I love Blesta and I am disappointed that I am forced to migrate away to a less user friendly platform...

Expand

wish system you are forced to migrate to it ?

Sign In

Unecrypted password API call

Question

jd6strings

13 answers to this question

Recommended Posts

Tyson

Blesta Addons

Paul

jd6strings

Paul

Tyson

jd6strings

Michael

jd6strings

Tyson

jd6strings

jd6strings

Blesta Addons

Please sign in to comment

Browse

Activity