I have overriden the hash($data)
and validateHash($password, $hash)
of Mage_Core_Model_Encryption
in a custom module. It works I can login to the admin area with my password and it validates correctly with the new hash; however, I cannot navigate in the admin area. I see a password-like hash becomes part of the url:
admin/dashboard/index/key/[bcrypt hash here]
. The browser cannot redirect to the resulting url. Can anyone advise me on overriding password hashes without breaking the urls with them? Thanks in advance.
In case it helps, my config xml looks like this:
<?xml version="1.0" ?>
<config>
<modules>
<Mycompany_Encryption>
<version>0.1</version>
<depends>Mage_Core</depends>
</Mycompany_Encryption>
</modules>
<global>
<models>
<core>
<rewrite>
<encryption>Mycompany_Encryption_Model_Encryption</encryption>
</rewrite>
</core>
</models>
<helpers>
<core>
<encryption_model>Mycompany_Encryption_Model_Encryption</encryption_model>
</core>
</helpers>
</global>
</config>
UPDATE:: (per two comments below) how to use password_hash instead of md5 for password authentication, while allowing url keys to use the hash function in an url friendly way?
The encrypt/decrypt functions of
Mage_Core_Model_Encryption
are not used in urls.Basically, there are two ways to solve the conflict. One being to implement the new hash based on using an event observer on the customer authentication methods. The other method, the one which works better for me is to just extend the
Mage_Adminhtml_Model_Url
and override thegetSecretKey
method. [The two repos linked in comments we helpful in learning this.]To fix the issue, I added a node to my config.xml inside
models
:And then added the file
Mycompany/Encryption/Model/Adminhtml/Url.php
:Lastly, I updated my
Mycompany/Encryption/Model/Encryption.php
by adding a urlHash method (in addition to thehash
,validateHash
, andgetHash
function already located there):I could have just returned
md5($secret)
at the end ofgetSecretKey
and that works also, but this method demonstrates more Mage methods that are helpful to see in action.I have not fully tested my module yet, but this appears to be fully compatible with every place getSecretKey is called.