Breaking change related to Customer portal authentication
Hi all,
Today we have been made aware of a problem with customer login for customized customer portal sites that we are currently fixing. Let me share some details on this.
For the latest release, we have modified the authentication for customers (used for the portal login). We did this for security reasons, since hashing algorithms and brute force power have evolved since the old implementation was done. As a consequence, we also removed the Customer.getValue("password") CRMScript method and rewrote all places it was being called in our code. The idea was that there was no good reason to expose the encrypted hash.
What we did not know is that the CRMScript library shared on github is actually using this functionality to authenticate a customer, by using setValue("password") and getValue("password") on an unsaved customer to calculate the hash. Now, this method would have failed with our new encryption anyhow, because our current solution is also salting, which means the hash will vary randomly for a fixed password.
The solution we have decided to implement, and that we are currently building and will roll out to affected customers as soon as possible, is a new CRMScript method:
Integer authenticateCustomer(String username, String password)
We believe this is the correct solution to your requirement: being able to authenticate a customer. It does not expose the hash, but it lets you check whether a username/password combination is valid. If so, it will return the personId of the customer. It not, it will return a null-Integer.
This means that you will need to update any customizations you have using the old lib-auth method to the new method as soon as a customer is upgraded to the new version. We sincerely apologize for the inconvenience. We were not aware that the getValue("password") method was being used for this purpose. Please get in touch with us, or reply to this post if you have further feedback or need assistance related to this.
Sverre
All Replies (9)
Thanks for the info, can you share what hashing algorithms etc is used now? We get questions related to this when customers want to implement customer portal/centre.
Very nice, Sverre! This is something we have been wanting for a while now so its great it is getting implemented :)
Are you adding this method to the Customer-class, or do you leverage the stuff that's been added to the Person Agent (REST api)?
Thanks for the information and continuous improvements, Sverre :)
Thanks for the quick and informative updates here.
One small question: is Customer.setValue("password") still supported/working as before, or will this also no longer be supported? If this is no longer supported, what would be a good alternative in CRMscript to change a user password via script?