[MGNLUI-4182] Password field stores password in plain text Created: 31/Mar/17  Updated: 08/Mar/21  Resolved: 08/Mar/21

Status: Closed
Project: Magnolia UI
Component/s: forms
Affects Version/s: 5.7
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Antti Hietala Assignee: Unassigned
Resolution: Workaround exists Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relation
is related to DOCU-984 Update "Password field" page Closed
is related to MGNLUI-5537 Create M6 UI PasswordField Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Documentation update required:
Yes
Date of First Response:

 Description   

In Password field documentation we say:

The field saves a cryptographic Bcrypt hash of the password rather than the password itself.

This statement is not correct, at least not by default. The password field stores the password in the repository in plain text (unencrypted) by default. To reproduce, configure the field in any form and examine the result.

It's not clear what the user must do to enable the encryption. An encode property is listed in documentation but it doesn't seem to do anything. PasswordFieldDefinition has no such property.

Fix the default behavior or document how to enable encryption.



 Comments   
Comment by Jan Haderka [ 31/Mar/17 ]

Not sure if this is product issue or documentation issue.

Password field is simple text field that hides text visually from the prying eyes, however it stores directly value provided by user. If we store just hash, it would mean that system could never find out the underlying password (which is OK when you want to authenticate against the password and compare just stored hash against hash of password provided during login), but is not OK if you are entering password to be stored by system to access other systems requiring authentication (where Magnolia needs to enter password on behalf of user). The password safe/manager app should be anyway used for the latter case.

In case of our user dialog, we use password field to only collect value of password entered by user, but delegate whole saving of the user and hashing to underlying user manager (Which might or might not be internal Magnolia User Manager and might or might not hash password).
Similar result, without involving user manager, can be achieved by configuring info.magnolia.ui.form.field.transformer.basic.BCryptTransformer on the password field, however keep in mind, that in this case, only hash is stored and it is never possible to again decode clear text password.

Comment by Roman Kovařík [ 08/Mar/21 ]

Closing this as clearly stated in latest DOCu.
https://docs.magnolia-cms.com/product-docs/Templating/Dialog-definition/Field-definition/List-of-fields/Password-field.html

Generated at Mon Feb 12 09:14:06 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.