Dual Pins for Users

Just to check, does the entity primary field (Name) exactly match the user name for samba login?

Actions:

Rules:


Here is a example employee entity:

in my set up name is the same as username

image

so what does this test return?

What does this return in SQL Manager?

SELECT e.[Name] FROM [Entities] e JOIN [EntityTypes] et on et.[Id] = e.[EntityTypeId] JOIN [EntityCustomFields] cf on cf.[EntityTypeId] = e.[EntityTypeId] CROSS APPLY OPENJSON(e.[CustomData]) WITH (jsonName varchar(50) '$.Name', jsonValue varchar(50) '$.Value') jsonData WHERE et.[Name] = 'Employees' AND cf.[Name] = 'FOB' AND jsonName = 'FOB' AND jsonValue='123456789'
1 Like

Q is wiz and SQL and have tried script with different fields on database on this machine and works.
So check the script directly that your getting what you expect then check with message in samba that its working and returning as expected in samba.

It is not enough to upgrade. You need to set the DB Compatibility Level to 130 or higher…

2 Likes

It was the compatibility. I appreciate you guys taking time to help, thanks

Hi…as per my experience adding dual pins may solve your issue but we shouldn’t add a specific feature for every case we encounter. Maybe we should execute a script when a pin entry does not match to allow custom logins. I am not saying this will be a better solution but such approach will also be useful for user-entity method.

pcb assembly supplier

@BilHonan not sure if you missed the beginning of the topic but this is what was done. Emre added a rule event to allow us to catch invalid pin entry and abolility to login with an action allowing a bypass for default pin with a second pin.

Finally got round to trying to improve my idea for dual pin.
Was thinking I could use the new password field in user however it looks to be hashed in database.
@emre can I ask what hash type you have used so I can hash the incorrect pin and check against password?
The values in the column look to be prefixed with some stings separated by $
See V1 so guessing you have left open for adaption to alternative hash methods in the future?
Looking at what I guess is the hashed password it looks more complex than md5 etc, guessing they are salted too?
I understand password field is not set to require being unique so plan to only return first result to prevent issue or maybe call via a script and make it not login if returns more than one.

I may change to sha256 in the future but his is how we verify passwords atm.

public static bool Verify(string password, string hashedPassword)
        {
            //check hash
            if (!IsHashSupported(hashedPassword))
            {
                throw new NotSupportedException("The hashtype is not supported");
            }

            //extract iteration and Base64 string
            var splittedHashString = hashedPassword.Replace("$SPHASH$V1$", "").Split('$');
            var iterations = int.Parse(splittedHashString[0]);
            var base64Hash = splittedHashString[1];

            //get hashbytes
            var hashBytes = Convert.FromBase64String(base64Hash);

            //get salt
            var salt = new byte[SaltSize];
            Array.Copy(hashBytes, 0, salt, 0, SaltSize);

            //create hash with given salt
            var pbkdf2 = new Rfc2898DeriveBytes(password, salt, iterations);
            byte[] hash = pbkdf2.GetBytes(HashSize);

            //get result
            for (var i = 0; i < HashSize; i++)
            {
                if (hashBytes[i + SaltSize] != hash[i])
                {
                    return false;
                }
            }
            return true;
        }
1 Like

Thanks for the info, going to need to research some of those functions LOL.
Unless you perhaps might happen to have a snippet of Jscript to just create the hashed value given original user entered password by chance? :wink:

lol I posted it to encourage you to give up.

… Of course our JScript environment does not have support for cryptography functions but maybe doing it by importing .net assemblies might be possible. Well I don’t know if it really worth for the effort.

2 Likes

LOL, NEVEEERRR!

I was guessing something allong those lines was going to be needed, still tracing variables to try and see whats hapening.

Think your going to win in all honestly but you know what comes next now;

Can we not get a secondary pin field for users :stuck_out_tongue: ‘Quick Pin’ for RFID/MSR, either pins work,1 out of two required, both in same unique pool amongst all users?

@RickH obviously would like something like this LOL

2 Likes
function verifyPassword(p,h){
	var lib = host.lib('mscorlib');
  	var asm = lib.System.Reflection.Assembly.LoadFrom('C:\\Program Files (x86)\\SambaPOS5\\Samba.Infrastructure.dll');
	var type = asm.GetType('Samba.Infrastructure.Helpers.SecurePasswordHasher');
	var method = type.GetMethod('Verify');
	var arr = host.newArr(2);
	arr[0]=p;
	arr[1]=h;
	var result = method.Invoke(null, arr);
	return result;
}
4 Likes

But what we’ll release with V6 if we’ll implement everything in V5?

2 Likes

Love you :wink:

So just to clarify I will need to input both the password string entered § and the hashed password (h) to test against?

Forget that, answered my own question, so would need to call all users and loop this function inputting entered password each time with the looped hash from each user.
Awesome, thanks for that emre.
Will sort a tutorial when implimented.

You’re calling the method I previously gave the source code. You’ll send password entered by user and the hash stored in the database.