creating a customer login function using the prestashop webservice

Issue

I’m currently working on an application that makes use of the prestashop webservice. This means that the application i’m building is an extension of an existing prestashop application. The connection between both applications is through the prestashop webservice

Currently i’m trying to create a login script for thecustomers. The email and password are obtained from the database through the webservice and i’m able to filter the inputs with the existing row’s. So when filling in [email protected] The filter will only obtain the row with that email address.

The problem i’m having is with the password. Prestashop uses a _COOKIE_KEY_ together with anmd5() to encrypt passwords. See this link for more information: link

So i’ve been trying some different things for a while to check the inputted password with the customers password but i haven’t found the solution yet.

Take a look at the code below:

<?php

require_once('./PSWebServiceLibrary.php');

/**
 * get information from PrestaShop
 */

$webService = new PrestaShopWebservice($url, $key, $debug);

define('_COOKIE_KEY_', '...');
$email = "[email protected]";
define('password', "test");
$md5passwd = md5(_COOKIE_KEY_ . password);

$opt = array(
    "resource" => "customers",
    "display" => "[email , passwd]",
    "filter[email]" => "$email"
);

$optPass = array(
    "resource" => "customers",
    "display" => "[email]",
    "filter[email]" => "$email",
    "filter[passwd]" => "$md5passwd"
);

$jsonPass = ($webService->get( $optPass ));

//json encode it
$jsonPasswd = json_encode($jsonPass);

echo($jsonPasswd);


if(password_verify($md5passwd, $jsonPasswd)) {
    echo "password is valid";
} else {
    echo "password is not valid";
}

$jsonUrl = ($webService->get( $opt ));

//json encode it
$json = json_encode($jsonUrl);

echo($json);

As you can see i’ve been trying out things like the password_verify and the md5() but i can’t quite get it. So is there anyone who has done this or who knows how to create a correct login script on the prestashop webservice?

Update — 12/1/2017
So after doing some research i’ve come up with a new way of checking the user input. First the code checks the email and if it’s true it will continue with checking the password input. But the problem i’m having is with the password and the password encryption of prestashop. I’m not able to compare the two hashes together. The first hash would be the hash from the database were the second hash is the user input password. The input would need a hash() function from prestashop. But i can’t quite get to the right hash sequence of prestashop.

I’ve searched all over the internet for this but couldn’t find a decent solution for logging in through the prestashop webservice. The script i’ve created for logging in is shown below.

require_once('./PSWebServiceLibrary.php');

/**
 * get information from PrestaShop
 */

$webService = new PrestaShopWebservice($url, $key, $debug);

$COOKIE_KEY = '_key';
$email = $_REQUEST['email'];
$password = md5('_key' . $_REQUEST['password']);

// The database hash for testing (random)
$passwordString = '$2y$10$UsYrIFQUOr5LBUZBoqSdxODuhbToEc.2QEqfAVB1r\/fhO5EfOyO96';

$opt = array(
    'resource'       => 'customers',
    'filter[email]'  => '['.$email.']',
    'display' => '[email,lastname,firstname, passwd]'
);

$result = ($webService->get( $opt ));

$json = json_encode($result);


$optUser = array(
    'resource'       => 'customers',
    'filter[email]'  => '['.$email.']',
    'display' => '[email,lastname,firstname,passwd]'
);

$resultUser = ($webService->get( $optUser ));

$userResult = json_encode($resultUser);

// Check the email
function hasEmail($string, $email)
{
    return strpos($string, $email) !== false;
}

// Check the Password
function hasPassword($string, $password)
{
    return strpos($string, $password) !== false;
}

if(hasEmail($userResult, $email) == true and hasPassword($userResult, $password) == true)  {
    session_start();
    $_SESSION['user'] = $email;
    // redirect is kut.
    echo
        '<html>
         <head>
           <meta content="text/html; charset=utf-8">
         </head>
         </html>';
} else {
// Here, we use single quotes for PHP and double quotes for JavaScript
    echo '<script type="text/javascript">';
    echo 'alert("Wrong username or password!")';
    echo '</script>';
}

Small second question: How would i be able to run a -> go to url in the success statement, Currently the echo "<script></script>"; isn’t working and since the header() can’t be used i’m having some trouble redirecting on succes.

As always, Thanks in advance!

Solution

To generate the cookie key prestashop uses:

array('_COOKIE_KEY_', Tools::passwdGen(56)),
array('_COOKIE_IV_', Tools::passwdGen(8)),

So that cookie key is different everytime. In order to verify if the password is good you should get existing password from database and compare with your user-submitted password:

//CHECK IF THE GIVEN EMAIL MATCHES A ROW IN OUR LEGACY TABLE AND RETRIEVES THE LEGACY PASSWORD
$resultZC = Db::getInstance()->getRow('
SELECT `password`
FROM `zc_legacy_passwords`
WHERE `email` = \''.pSQL($email).'\'
AND `updated` = 0');

 if (!$resultZC)
return false; //<- EMAIL NOT FOUND IN NONE OF THE TABLES, SO IT IS AN INVALID LOGIN

//ENCRYPTS THE GIVEN PASSWORD IN ZEN-CART / OSCOMMERCE FORMAT
$salt = substr($resultZC['password'], strrpos($resultZC['password'],':')+1, 2);
$ZCpassword = md5($salt . $passwd) . ':' . $salt;

if ($ZCpassword != $resultZC['password'])
return false; //<- WRONG ZEN-CART/OSCOMMERCE PASSWORD GIVEN

This is the part that you’re asking for:

//ENCRYPTS THE GIVEN PASSWORD IN ZEN-CART / OSCOMMERCE FORMAT
$salt = substr($resultZC['password'], strrpos($resultZC['password'],':')+1, 2);
$ZCpassword = md5($salt . $passwd) . ':' . $salt;

where $resultZC[‘password’] is the password stored in the database and, $passwd is your password

Answered By – Pascut

This Answer collected from stackoverflow, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply

(*) Required, Your email will not be published