Skip to main content

Database password login provider

This login provider compares passwords with hashed passwords stored in the Flow database. Passwords can be imported in clear text or in various hashed forms. This login provider is always enabled and cannot be turned off.

note

Passwords are always saved in cryptographically strong hashed form in the database internally, no matter how they got imported to Flow.

Cleartext passwords

If passwords are imported in cleartext, there is nothing to configure, users should be able to log in via email & password on the Flow login UI. Note that passwords will be cryptographically hashed during the importing step of all users.

Hashed passwords

If passwords are imported in a hashed form (pre-hashed) then the hashing algorithm and it's specs must be also defined, so Flow can apply it to the user input (on the Flow login UI). The hashing algorithm (and it's specs) can be defined using the passwordPreHashing field on a per-user basis. Note that passwords will be hashed again during importing them in a cryptographically strong way, no matter which pre-hashing algorithm was used.

Supported pre-hashing methods

Currently, the following algorithms are supported when importing pre-hashed passwords:

Basic hashing algorithms

  • MD5
  • SHA1
  • SHA224
  • SHA256
  • SHA384
  • SHA512

These algorithms don't require any extra specifications.

Hmac hashing algorithms

  • HmacMD5
  • HmacSHA1
  • HmacSHA224
  • HmacSHA256
  • HmacSHA384
  • HmacSHA512

These algorithms require hmacKey to be defined, see example below.

PBE hashing algorithms

  • PBEWithHmacSHA1AndAES_128
  • PBEWithHmacSHA224AndAES_128
  • PBEWithHmacSHA256AndAES_128
  • PBEWithHmacSHA384AndAES_128
  • PBEWithHmacSHA512AndAES_128
  • PBEWithHmacSHA1AndAES_256
  • PBEWithHmacSHA224AndAES_256
  • PBEWithHmacSHA256AndAES_256
  • PBEWithHmacSHA384AndAES_256
  • PBEWithHmacSHA512AndAES_256

These algorithms require salt and pbeInfos to be defined. Also, saltMode must be set to PBE_ALGORITHM. See example below.

Salting

Salts are supported with all hashing methods, the following salt modes are supported:

  • NONE: No salt will be applied.
  • SALT_AS_PREFIX: Salt will be applied with string concatenation as prefix -> hash(salt + password).
  • SALT_AS_SUFFIX: Salt will be applied with string concatenation as suffix -> hash(password + salt).
  • PBE_ALGORITHM: Salt will be applied according to the PBE key spec.

If saltMode is not NONE, salt must be defined.

Examples

These examples show a portion of the JSON payload of a flow user. Here are some examples of the most common use-cases:

Passwords are sent as MD5 hashes without salt

{
  ...
  "passwordHash": "<HASHED_PASSWORD>",
  "passwordPreHashing": {
    "algorithm": "MD5"
  }
}

Passwords are sent as SHA 256 generated with a Hmac key

{
  ...
  "passwordHash": "<HASHED_PASSWORD>",
  "passwordPreHashing": {
    "algorithm": "HmacSHA256",
    "hmacKey": "<SECRET_KEY>"
  }
}

Passwords are sent as a PBE hash

{
  ...
  "passwordHash": "<HASHED_PASSWORD>",
  "passwordPreHashing": {
    "algorithm": "PBEWithHmacSHA512AndAES_256",
    "salt": "<SALT>",
    "saltMode": "PBE_ALGORITHM",
    "pbeInfos": {
      "iterationCount": 2000,
      "keyLength": 512
    }
  }
}