Simple Membership . Password empty or invalid

[kcfez]

When I add a user in Wordpress ( https://jowett.club/wordpress/wp-admin/user-new.php ) this gets transfered to the phpbb database. ( https://jowett.club/forum/memberlist.ph ... e=true&sid............. ) as do changes such as email. But that user cannot logon to phpbb using ( https://jowett.club/forum/ucp.php?mode=login )
After importing the user to Simple Membership that user cannot log into WP.
NOTE: the Domain is not Internet accessible.
Checking the passwords in the three tables.
$wp$2y$10$V2PqQvhzuX7pz25fA.W7j.4SkFY3VeviKp3wmlqe.kxUReOL.hTTq
in Users

$wp$2y$10$o4zm/o854Wzpurtuj06nDOy0PC7MBMfFsXXIdFQV.hg5w1unEj4/q
in Members

$wp$2y$10$V2PqQvhzuX7pz25fA.W7j.4SkFY3VeviKp3wmlqe.kxUReOL.hTTq
in phpbb

User names are the same.

[axew3]

Change email, password AND LOGIN only into WP.
Exact! phpBB without something that can recognize the WP password hash will not work!
You see same hash because it is stored in phpBB by the integration plugin code the same way it is created in WP, when you go to update it in WP.
So users will have to login ONLY in Wordpress when you setup the hash password to be in the WP way.

To be more explicit, something like this code:

Code: Select all

  if ( str_starts_with( $hash, '$wp' ) ) {
      // Check the password using the current prefixed hash.
      $password = stripslashes($password);
      $password = htmlspecialchars($password, ENT_COMPAT);
      $password_to_verify = base64_encode( hash_hmac( 'sha384', $password, 'wp-sha384', true ) );
      $check              = password_verify( $password_to_verify, substr( $hash, 3 ) );
    }

should be simply added into a phpBB listener hook, so to check the pass against it and then login the user when hashed with the WP way, and a login into phpBB occur.
It really seem a good phpBB WordPress extension addition, i will add for next version!

ps have you put the file into the created folder
/srv/jowett.club/public/htdocs/wordpress/wp-content/plugins/wp-w3all-custom/custom_functions.php

Yes? I assume yes because you say that the login works into WP, and it is not because you leaved in place the first code!

[axew3]

Ps about the hack added setting the user as not linked when he login...
would be better

Into a last time version, to make it correctly work the wordfence 2steps auth has been added this code:

Code: Select all

// 2fa x All-In-One Security is into WP_w3all_phpbb::verify_phpbb_credentials()
# Avoid for Wordfence 2fa. Just do not replace wp_check_password, let Wordfence 2fa auth do his way
if(isset($_POST['action']) && $_POST['action'] == 'wordfence_ls_authenticate')
{ # do nothing
  } else {
# replace WP default wp_check_password function that include the phpBB session setup for the user, if the pass match
if ( ! function_exists( 'wp_check_password' ) && ! defined("WPW3ALL_NOT_ULINKED") ) :

function wp_check_password($password, $hash, $user_id = '') { ....  .... ....

this part on next version 3.0.0 will be changed/improved adding a global var.
The var, into the custom /wp-content/plugins/wp-w3all-custom/custom_functions.php
can so be set as true when necessary, so to disable the plugin's wp_check_password only, and not all the plugin features while the page will process the login.
It is so be useful for any other plugin, so to have this easily switched for any possible situation.

[axew3]

Ps the extension 2.0.4 has been removed because containing a bug: it will be re-released within today

[kcfez]

Thanks ,
Yes seems to work now! I had moved the custom_functions.php into an incorrect folder. But I was going out last night!
I will continue testing. I really need to allow users to also login via phpbb as they have been doing that for 20 years. But I will see if I can make it less painful for them. Wordpress has a more inviting user interface.
The landing page for most people will be the phpp index.php or for visitors that are using a link into the site they will be redirected there if they do not have access rights because of incorrect membership level (i.e. club member phpbb group) .
Currently on my phpbb page I have modified it with an extension so that after login the user's club membership is checked as it interogates the club membership database written by myself. I do not like the security of the database and process used by Simple membership. My membership system encrypts everything sensitive and does not send passwords over email! So I will try to interface your integration with my membership system using some of the elements of the WP system. My membership system updates the user's groups based on their membership status so it is probably easier to continue doing that.

Once again thanks and I will continue to follow your development with interest.

[axew3]

The extension 2.0.4 has been released!
Using it and activating the option about WP hash (last added), users can login also if the hash is a WordPress hash.

The unique part not complete, is this fact:
- normally when an user login because going to reply a post, phpBB redirect the user to the login page then to the post where he was submitting a reply or a pm etc
In this case, onlogin, if the hash is in WP way, the user will be always redirected to the phpBB index page.
I will see to fix it.

I realized today, so it was the reason of the temporary remove of the extension download, that the WP hash pass function was working great, but into the wrong phpBB listener, so it was bypassing for example the login times limit or recaptcha. Now works great and without wasting resources of any kind.

viewtopic.php?t=1783

Beside the posts replies extension, the more interesting to me is the coming slider and vertical views extensions, so to make phpBB a little more modern