Migrating account passwords from Discuz to Nodebb
Recent forum to from the Discuz revision to Nodebb, because the original DZ framework used for a long time, accumulated a certain number of users, in order to do the user's non-aware migration, the first need to account login problems to solve.
1. Discuz Encryption method
Since it is migrating from DZ to Nodebb, we need to understand how DZ's encryption method is implemented.
DZ's encryption method is relatively simple, refer to the following steps:
1. First password plaintext pwd=123456,salt=666666 (stored in the database);
pwd=123456,salt=666666
2. Once MD5 the PWD, take 32 lowercase results hash1;
hash1=md5(pwd)
3. The hash1 and salt are stitched together to get temp=hash1+salt;
temp=hash1+salt
4. MD5 the TEMP, 32 is the lowercase result, which is the password field in the database.
password=md5(temp)
Know the way DZ encryption, the following can be modified Nodebb
2. Modify the Nodebb registration and login process
The main documents involved are
1. `src/controllers/authentication.js`2. `/src/bcrypt.js`3. `/src/password.js`4. `/src/user/create.js`
1. First at the time of registration, the Salt field is stored in the database at the same time, the initial salt is preferably associated with the account, which makes it easy to modify the MONGO database for further modification ( /src/user/create.js
).
async.parallel([ async.apply(User.setUserField, userData.uid, ‘password‘, hash), // 在用户进行注册的时候向User信息中增加salt字段,以便与dz的加密方式结合 async.apply(User.setUserField, userData.uid, ‘salt‘,‘123456‘), async.apply(User.reset.updateExpiry, userData.uid), ], next )
2. Modify the /src/bcrypt.js
file
Process.on (' message ', function (msg) {if (Msg.type = = = ' Hash ') {Hashpasswordasdz (Msg.password, Msg.salt, done) ; } else if (msg.type = = = ' Compare ') {compare (String (Msg.password | | "), String (Msg.hash | | "), Msg.salt, done); }});//Modify the encryption method for the password for DZ encryption mode function hashpasswordasdz (password, salt) {var md5 = Crypto.createhash (' MD5 '); Md5.update (password); var hash1 = md5.digest (' hex '); MD5 = Crypto.createhash (' MD5 '); var content = Hash1 + salt; Md5.update (content); var hash2 = md5.digest (' hex '); Done (null, HASH2)}//Modify the logic when comparing passwords, keep consistent with DZ function compare (password, hash, salt, done) {var md5 = Crypto.createhash (' MD5 ') ; Md5.update (password); var hash1 = md5.digest (' hex '); MD5 = Crypto.createhash (' MD5 '); var content = Hash1 + salt; Md5.update (content); var hash2 = md5.digest (' hex '); if (hash2==hash) done (null, true); else done (null, false);} function done (err, result) {if (err) {process.send ({err:err.messAGE}); return Process.disconnect (); } process.send ({result:result}); Process.disconnect ();}
3. Modify/src/controllers/authentications.js
userData: function (next) { db.getObjectFields(‘user:‘ + uid, [‘password‘, ‘passwordExpiry‘,‘salt‘], next); },
When login is carried out, the additional salt value is extracted to facilitate subsequent transfer to the Compare function for MD5 calculation.
function (next) { Password.compare(password, userData.password, userData.salt,next); }
Modify the Compare parameter list and pass the salt in the UserData.
4. Modify/src/password.js
function compare(password, hash,salt, callback) { getFakeHash(function (err, fakeHash) { if (err) { return callback(err); } forkChild({ type: ‘compare‘, password: password, hash: hash || fakeHash ,salt:salt}, callback); });}
Modify the Compare function to add the salt parameter, which is called the Compare function in Bcrypt.js, and a callback is made.
3.NodeBB Small Batch registration.
Because the original forum data volume is small, and there is not too much time to parse Nodebb logic, so the most simple brute force method, through the Selenium+pyvirtualdisplay for bulk registration. Account name and mailbox is DZ data, password arbitrary, because step 4 to change.
def register (S_email, S_username, S_password): display = display (visible=0, size= (+)) Display.start () brow Ser = Webdriver. Chrome () browser.get (config. Forum_home_url) Time.sleep (2) Register = Browser.find_element_by_xpath ('//*[@id = "Logged-out-menu"]/li[1]/a '); Register.click (); # Open registration page time.sleep (2) Browser.refresh () # Get registered list Items email = browser.find_element_by_id (' email ') ) Username = browser.find_element_by_id (' username ') password = browser.find_element_by_id (' password ') password_co nfirm = browser.find_element_by_id (' password-confirm ') register = browser.find_element_by_id (' register ') # padding value em Ail.send_keys (S_email) Username.send_keys (s_username) Password.send_keys (S_password) Password_confirm.send_keys (s _password) Register.click () Time.sleep (3) Browser.refresh () # Get Protocol Consent button and submit aggree1 = Browser.find_element_by _id (' gdpr_agree_data ') aggree2 = browser.find_element_by_id (' gdpr_agree_email ') Submit = Browser. Find_element_by_xpath ('//*[@id = "content"]/form/div[2]/div/button ') Aggree1.click () Aggree2.click () Submit.click ( ) Time.sleep (3)
Probably ran a half-day to complete the registration, and then start to modify the content in the MongoDB database to finish the final step
4. Modify the Nodebb data source
Now run through step 3 can actually use the initial password we set to login, but the intention is to migrate DZ to Nodebb, so also need to modify the Nodebb database, here in MongoDB for example.
1. View the contents of the MongoDB database and discover that it is primarily related to a document.
2.
{ "_id": "id", "_key": "user:1", "acceptTos": 0, "banned": 0, "birthday": "", "email": "[email protected]", "fullname": "", "gdpr_consent": 1, "joindate": 1528885781389, "lastonline": 1529026648838, "lastposttime": 0, "location": "", "picture": "", "postcount": 0, "profileviews": 0, "reputation": 0, "signature": "", "status": "online", "topiccount": 0, "uid": 1, "uploadedpicture": "", "username": "cc.zhang", "userslug": "cc-zhang", "website": "", "password": "password", "salt": "salt", "passwordExpiry": 0 }
Where _key= ' User: ' +user.id, all we have to do is to find the relevant user account and then modify its salt for DZ exported salt, and modify password for DZ export password.
data.update({‘email‘: email, ‘salt‘: old_salt}, {‘$set‘: {‘salt‘: new_salt, ‘password‘: hash}})
This is done using email and salt to determine the document and then update it.
5. Login Verification
Open the login page, enter the account password in DZ login to verify the success, if prompted to fail may need to restart the server. Currently only the account password part of the migration and modification, there may be some unfinished changes, such as the subsequent discovery to change it
Migrating account passwords from Discuz to Nodebb