[TYPO3-core] RFC: Feature Request #7139: Integration of fe_users password encryption

[Martin Kutschker]

Steffen Kamper schrieb:
> 
> first: yes, i catched your proposal and did it this easy way, tested and it 
> works.
> I don't understand what you feel wrong.

t3lib_userautch is a base class for BE (t3lib_beuserauth) and FE 
(tslib_feuserauth). Introducing code into the BE class that checks for 
stuff that belongs (at best) to one of it's children is wrong.

A possible solution would have been to make a new method in 
tslib_feuserauth. I did not follow that path because I felt the problem 
could be handled by the existing securityLevel model.

> now i tried to follow what you've done. You introduced a new flag and set 
> loginSecurityLevel to 'hashed'.

That part is optional. If you want to send the password plain you have 
to use type "normal", which is the default anyway (also in my propsal).

 > In userauth there are two existing
> securityLevels, challenged and superchallenged, so this is also new.
> // password sent as md5 hash without challenge
> so you have to md5 the password before sending, i don't see how. This 
> requires at least a JS to do this.
> 
> At the end you come to the same result. In my case you don't need any JS. 
> And with challenge or superchallenge it works too.
> 
> So what is the conclusion?

That you didn't understand my suggestion. You don't need JS. You need it 
only for the simple new "hashed" or the old "superchallenged".

Masi