Applications like Shopware use a live migration for that. You store/import informations about the used hashing algorithm. Before the user login, you can live migrate the password to your new hashing algorithm.
For example: the hashing is done by a php class (perhaps called Encoder). You store information about the used encoder (string like “md5”, or “bcrypt”). If the old encoder is used you use the old encoder to verify the password and migrate the password using the new encoder.
I have the same requirement; migrating passwords from a TYPO3 installation to a Flow app. The frontend users have salted keywords. My (as of yet untested) plan would be as follows:
Have an own authenticationProvider Typo3FrontendUserProvider and save the current TYPO3 password in credentialssource
Save the encryption key of the TYPO3 installation as a setting
The Typo3FrontendUserProvider intercepts the password entered by the user. It uses the (rebuilt) mechanisms for salted passwords in TYPO3 to validate the password.
If validation is successful, the intercepted password is set as new password using Flow mechanisms and the provider is set to DefaultProvider.
Do you think that this could work out or do I miss a point?
Not sure if I got it right, but why not give it a try?
In general you should be able to create your custom AuthenticationProvider that can somehow authenticate the TYPO3 credentials (i.e. by talking to the TYPO3 instance or by importing the salted credentials & encryption key)
Thanks @christianm for pointing me to the right direction. It turned out to be pretty easy. I created a Gist for those having the same requirement:
For those importing users from TYPO3, e.g. in a CommandController, you can use the following method:
/**
* Creates a new account and sets the given password and roles
*
* This doesn't encrypt the password but inserts the passwords without transformation, but with the "typo3md5salted=>" prefix.
*
* @param string $identifier Identifier of the account, must be unique
* @param string $password The clear text password
* @param array $roleIdentifiers Optionally an array of role identifiers to assign to the new account
* @param string $authenticationProviderName Optional name of the authentication provider the account is affiliated with
* @param string $passwordHashingStrategy Optional password hashing strategy to use for the password
* @return \TYPO3\Flow\Security\Account A new account, not yet added to the account repository
*/
protected function createAccountWithPassword($identifier, $password, $roleIdentifiers = array(), $authenticationProviderName = 'DefaultProvider', $passwordHashingStrategy = 'default')
{
$account = new \TYPO3\Flow\Security\Account();
$account->setAccountIdentifier($identifier);
$account->setCredentialsSource('typo3md5salted=>' . $password);
$account->setAuthenticationProviderName($authenticationProviderName);
$roles = array();
foreach ($roleIdentifiers as $roleIdentifier) {
$roles[] = $this->policyService->getRole($roleIdentifier);
}
$account->setRoles($roles);
return $account;
}