fusionauth-issues
fusionauth-issues copied to clipboard
Importing a hash longer than 255 characters will fail.
Migration failed when using passport-local-mongoose due to "password" field length
(Previous title: Migration failed using passport-local-mongoose due to "password" length is short. )
Description
We would like to migrate from passport authentication to FusionAuth. The library that we are using is this passport-local-mongoose which uses pbkdf2-hmac-sha256-512
. Apparently the hashed password stored on our database is at least 1000+ characters in length which causes the migration API to fail since the maximum character length for password field is only varchar 255
. This issue could be a big potential blocker on us moving forward in using FusionAuth.
The length of the password field we are trying to import is 1024
. Can the FusionAuth schema be modified to support longer password hashes?
Additional Details
I appears as though passport-local-mongoose
defaults to a 512
byte key length which is 4,096
bits.
https://www.npmjs.com/package/passport-local-mongoose
keylen: specifies the length in byte of the generated key. Default: 512
The FusionAuth default encryptionScheme
values of salted-pbkdf2-hmac-sha256
and pbkdf2-hmac-sha256-512
use a 256
bit and 512
bit key respectively.
A custom plugin would need to be written to use a use a 4,096
bit key, and the password
column would need to be modified to be of type TEXT
to support a larger hash.
For example, to support PBKDF2 using a 4,096
bit key length with a HMAC SHA-256 hash, the hash will be 512
bytes, so the hex encoded value would be 1024
characters long, or 683
characters base64
encoded. All of these sizes and much larger would be ok if we just bump the column size to TEXT
.
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
@edmhar thanks for filing this issue. Can you please let us know what the maximum length of the password hash in your system is?
Hello @mooreds, its 1024 in character length.
Thanks @edmhar . I modified the issue to clarify the problem. I can't commit to any timeline to make this change, but any progress will be tracked in this issue.
Apparently the hashed password stored on our database is at least 1000+ characters in length which causes the migration API to fail since the maximum character length for password field is only varchar 255.
I highly doubt they have created a hash that exceeds 1000 characters in length. Their doc says they use PBKDF2 256 w/ a 512 bit key lenfth which means the hash should not exceed 88
characters.
If you want to post an example value perhaps we can assist. Perhaps they are storing a bunch of values all combined in some sort of schema.
Hi @robotdan, Sure! no worries, it kinda weird also to have a hashed value of more than 255+ characters. I do some digging on how they hashed the password and here's what I found on passport-local-mongoose;
For their hashing they have this function
module.exports = function pbkdf2(password, salt, options, callback) {
crypto.pbkdf2(password, salt, options.iterations, options.keylen, options.digestAlgorithm, callback);
};
and since we import the package without passing custom properties, here are the default values for the fields required by the function above
options = options || {};
options.saltlen = options.saltlen || 32;
options.iterations = options.iterations || 25000;
options.keylen = options.keylen || 512;
options.encoding = options.encoding || 'hex';
options.digestAlgorithm = options.digestAlgorithm || 'sha256'; // To get a list of supported hashes use crypto.getHashes()
Also I will add a sample value of the hashed password based on the options above:
118063111607fc1a241b93e8eb32fbb0a415a16a6f7e7b79c270e419221dc36ed67d09fdd63061d5839f11e6c457a18166ab3cf60d8756b870b0355e04f85dd511aa4731025cfc0b3b3a2fda71ed34ecc1e0c958d0f0998de0833d223a6e2bd874b66dbaf9bb5adc919825b079fe48f51ed76cd578ca38dd22926bdb4dd051a767f800ddad1433ec0a785c5bf9ca4a6821d2dfa1bb2843b16341a71f147cce74afe7824aa9329fd828ccb2a2f1bf8028f1506af4e84ffe1afa322f8d90f9e10a04e3ed8dd4fd83fbc801234963e498152e4c7064d5576abb5758d3edd33e4ad7406dabfad166c5d2516924db341e71a5a1986fdf8191309568adca01c20b885913c516297299b115081b8c211fc95f52d0f7b6137939758c8963d5c23bf4e35ec87b0e979dfccf7f6ee7815066ac2214cffa0200f19157eefd6f4360e73f07fed772c249113bf63371b07b052dbea367dccf14f760df0dad88755d527749041ffd1b40fb09315d30f5a7d60c6370d1bc6ebc8dcf03d46a57f3045370cf2146fa867a2855f156989055b0bfabde49d7e06c4419f1a03a351bfddd0d08253408fb5ac27caabb8220bced4f180c7b5c8eb1a4fbe414ac6c583752a945dd1e33be6d087e38fa4697264b9866555850001ecb9386d4396cc000cb5182afa0e380248547418370c7181ef9389166c42da0cf6a115267c9eadc8f5394f4479562b85b2e
Generated it using this helpful online tool: https://neurotechnics.com/tools/pbkdf2-test
The difference in output length from this is example is due to the key length unit being in bytes instead of bits.
In your example you have set the keylen = 512
so this is 4,096
bytes. This would cause the hash to be a 1024
length hex encoded character string as you're seeing.
The two PBKDF2 hashing algorithms supported out of the box by FusionAuth are PBKDF2 HMAC SHA256 w/ a 256
bit key, or a 512
bit key. These are identified by using the salted-pbkdf2-hmac-sha256
or salted-pbkdf2-hmac-sha256-512
values for the encryptionScheme
property during import.
It is possible you are using a 4,096
bit key in your current passport-local-mongoose
configuration. If that is the case, then there would be a problem with the current maximum size of the db column which is capped at 255
characters.
We could explore changing this data type to be much larger, but this would require a db schema change. If we made this change, you would also need to write a custom password hashing plugin to utilize use your current hashes as our default options don't account for the use of a 4,096
bit key length.
Internal notes:
We should probably change the data type of this column, we'll want to do a bunch of migration test to see how long it will take to make this schema change when there are 1-10M users in that table.