Issue with bcrypt on import of users

dan

The Bcrypt passwords have stored salt in their own hash, yet imported users get unexpected error when trying to log in. There is "Bad salt length" error in the FA logs.

I am using 1.25.

Steps to reproduce the behavior:

• Create Bcrypt hashed password (you can use online bcrypt generators) using 4 rounds
• Make request to Fusion Auth Import API with JSON like:

{ "users": [ { "username": "username", "active": true, "password": "generatedhash", "salt": "", "encryptionScheme": "bcrypt", "email": "test@gmail.com", "factor": 4, "verified": true, "registrations": [ { "applicationId": "id" } ] } ] }

• Import succeeds with status 200
• Try to login with imported user into the application
• Receive unexpected error when trying to login(only with this user). Logs say "bad salt length". User is visible via FA admin, after changing his password via the dashboard his login works

dan

You'll need to separate out the hash and the salt on the Import API.

For example, the hash $2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy would be split out to the fields:

factor: 10
salt: N9qo8uLOickgx2ZMRZoMye
password: IjZAgcfl7p92ldGxad68LJZdL17lhWy

The Import API does not parse this value and separate it out for you. You need to do so.

Here is an example import script (in Ruby): https://github.com/FusionAuth/fusionauth-import-scripts/blob/master/auth0/import.rb#L47