Migrating from homegrown auth. to RESTful Authentication

11175 · April 1, 2009, 9:36pm

I'm trying to port an existing, home grown authentication system to use RESTful Authentication (and then RoleRequirement on top of that).

I am concerned about how best to handle the existing user data in my users table so that legacy (pre-RESTful Auth users) can log in.

I already have an existing users table with salt and hashed versions of passwords, so I'm assuming that I will simply have to have a way to detect which user records are pre-existing and ensure that I run the MD5 against them the "legacy" way.

Obviously, all new user records end up with the RESTful Auth. hashing method applied to their passwords.

I'm looking for advice from anyone who has had to do this type of conversion before.

Thanks, Wes

Colin_Law1 · April 2, 2009, 7:38am

If you are happy with the security of your original hashing then you could just patch restful auth to use your existing technique.

11175 · April 2, 2009, 12:34pm

I'm looking for advice from anyone who has had to do this type of conversion before.

Thanks, Wes

One way could be to allow users to reset the password by requesting a token sent by email. So that everybody will be forced to update their passwords. You'll have to make it super clear so that users won't get upset seeing they can't log in anymore.