-
Notifications
You must be signed in to change notification settings - Fork 2
Algorithms
##Registration page
User provides an e-mail and a password (with password check). Only a generated hash of the password and a pseudo-randomly generated password md5 hash salt will be stored in the database.
###Password hashing algorithm 1. Grab password from input form 1.1 Exception flow - Password has less than 8 characters, display error message. Exit flow. 1.2 Exception flow - Passwords don't match, display error message. Exit flow. 2. Hash the password with a sha256 algorithm. 3. Generate a pseudo-random md5 salted hash. 4. The password hash from step 2. is concatenated with the salt hash from step 3. 5. The string from step 4. is hashed once more with sha256 to provide the final password hash. 6. The resulting hash from step 5. is stored as password on the database. 7. The salt from step 3. is stored as salt on the database.
1. Grab e-mail and password from input form
1.1 Exception flow - If Any field is left blank, display error message. Exit flow.
1.2 Exception flow - Password has less than 8 characters, display error message. Exit flow.
2. Hash the provided password with 256sha algorithm
3. Grab user information from database by provided e-mail
4. Grab user salt from user information fetched on step 3.
5. Concatenate provided password hash from step 2. with salt provided on step 4.
6. Hash the concatenated string from step 5. using 256sha algorithm
7. Check if the hash generated on step 6. is equal to the database stored password hash from user information fetched on step 3.
7.1 Passwords don't match, display error message. Exit flow.
8. Fetch user token from user information fetched on step 3.
9. Display user login success message with valid token from step 3.
1. Grab user information from api_user filtering by e-mail
2. Grab token_id field from api_user record provided on step 1.;
2.1 User record has no token_id associated. Generate new api_token and associate to this user;
3. Grab api_token record where api_token.auto_id equals the token_id provided on step 2.
3.1 If the user created_at field is more than 7 days old (grab system current time to compare), generate new pseudo-random token and insert a new record to the api_token table with it. Update api_user record provided on step 1. so that the recently generated token's token_id is associated to the user instead of the expired token.
4. Return token field from updated api_token related to this user.
Note: Command line in GNU/Linux for generating hash:
echo -n mypassword | sha256sum (or md5sum)