Dual Pins for Users

It is not enough to upgrade. You need to set the DB Compatibility Level to 130 or higher…

2 Likes

It was the compatibility. I appreciate you guys taking time to help, thanks

Hi…as per my experience adding dual pins may solve your issue but we shouldn’t add a specific feature for every case we encounter. Maybe we should execute a script when a pin entry does not match to allow custom logins. I am not saying this will be a better solution but such approach will also be useful for user-entity method.

pcb assembly supplier

@BilHonan not sure if you missed the beginning of the topic but this is what was done. Emre added a rule event to allow us to catch invalid pin entry and abolility to login with an action allowing a bypass for default pin with a second pin.

Finally got round to trying to improve my idea for dual pin.
Was thinking I could use the new password field in user however it looks to be hashed in database.
@emre can I ask what hash type you have used so I can hash the incorrect pin and check against password?
The values in the column look to be prefixed with some stings separated by $
See V1 so guessing you have left open for adaption to alternative hash methods in the future?
Looking at what I guess is the hashed password it looks more complex than md5 etc, guessing they are salted too?
I understand password field is not set to require being unique so plan to only return first result to prevent issue or maybe call via a script and make it not login if returns more than one.

I may change to sha256 in the future but his is how we verify passwords atm.

public static bool Verify(string password, string hashedPassword)
        {
            //check hash
            if (!IsHashSupported(hashedPassword))
            {
                throw new NotSupportedException("The hashtype is not supported");
            }

            //extract iteration and Base64 string
            var splittedHashString = hashedPassword.Replace("$SPHASH$V1$", "").Split('$');
            var iterations = int.Parse(splittedHashString[0]);
            var base64Hash = splittedHashString[1];

            //get hashbytes
            var hashBytes = Convert.FromBase64String(base64Hash);

            //get salt
            var salt = new byte[SaltSize];
            Array.Copy(hashBytes, 0, salt, 0, SaltSize);

            //create hash with given salt
            var pbkdf2 = new Rfc2898DeriveBytes(password, salt, iterations);
            byte[] hash = pbkdf2.GetBytes(HashSize);

            //get result
            for (var i = 0; i < HashSize; i++)
            {
                if (hashBytes[i + SaltSize] != hash[i])
                {
                    return false;
                }
            }
            return true;
        }
1 Like

Thanks for the info, going to need to research some of those functions LOL.
Unless you perhaps might happen to have a snippet of Jscript to just create the hashed value given original user entered password by chance? :wink:

lol I posted it to encourage you to give up.

… Of course our JScript environment does not have support for cryptography functions but maybe doing it by importing .net assemblies might be possible. Well I don’t know if it really worth for the effort.

2 Likes

LOL, NEVEEERRR!

I was guessing something allong those lines was going to be needed, still tracing variables to try and see whats hapening.

Think your going to win in all honestly but you know what comes next now;

Can we not get a secondary pin field for users :stuck_out_tongue: ‘Quick Pin’ for RFID/MSR, either pins work,1 out of two required, both in same unique pool amongst all users?

@RickH obviously would like something like this LOL

2 Likes
function verifyPassword(p,h){
	var lib = host.lib('mscorlib');
  	var asm = lib.System.Reflection.Assembly.LoadFrom('C:\\Program Files (x86)\\SambaPOS5\\Samba.Infrastructure.dll');
	var type = asm.GetType('Samba.Infrastructure.Helpers.SecurePasswordHasher');
	var method = type.GetMethod('Verify');
	var arr = host.newArr(2);
	arr[0]=p;
	arr[1]=h;
	var result = method.Invoke(null, arr);
	return result;
}
3 Likes

But what we’ll release with V6 if we’ll implement everything in V5?

2 Likes

Love you :wink:

So just to clarify I will need to input both the password string entered § and the hashed password (h) to test against?

Forget that, answered my own question, so would need to call all users and loop this function inputting entered password each time with the looped hash from each user.
Awesome, thanks for that emre.
Will sort a tutorial when implimented.

You’re calling the method I previously gave the source code. You’ll send password entered by user and the hash stored in the database.

Although @emre have just had a thought, in future I would ideally need a way to generate the hash :-/. Had planned to intergrate samba with our guestlink site, not just for loyalty members but also as a way of syncing users between all our properties as we share/move staff arround by having the users also sync through the site.
Would the hash process be specific to an install or are methods generic enough they could be generated in PHP or other web based script as was going to make the process for creating users on the site and script samba to sync with the site each morning.

I really don’t know PHP. Search for Rfc2898

Worst case these users wouldn’t have API access in samba and they are being treated as pins so could store in a decodable hash on site and generate within samba.
Do you have the method for creating the hash by chance? Then would generate it in samba in the sync script.

Yes call Hash method instead of Verify and just send the p.

1 Like

Awesome, missed that, should have picked up on that line…

1 Like