Re: RM1849: Auto-generating security keys - Mailing list pgadmin-hackers

Hi Dave,

On Tue, Oct 11, 2016 at 9:10 PM, Dave Page <dpage@pgadmin.org> wrote:

Hi Ashesh,

Can you please review the attached patch, and apply if you're happy with it?

Overall the patch looked good to me.

But - I encounter an issue in 'web' mode, which wont happen with 'runtime'.

Steps for reproduction on existing pgAdmin 4 environment with 'web' mode.

- Apply the patch

- Start the pgAdmin4 application (stand alone application).

- Open pgAdmin home page.

- Log out (if already login).

And, you will see an exception.

I have figure out the issue with the patch.

We were setting the SECURITY_PASSWORD_SALT, after initializing the Security object.

Hence - it could not set the SECURITY_KEY, and SECURITY_PASSWORD_SALT properly.

I had moved the Security object initialization after fetching these configurations from the database.

I have attached a addon patch for the same.

Now - I run into another issue.

Because - the existing password was hashed using the old SECURITY_PASSWORD_SALT, I am no more able to login to pgAdmin 4.

I think - we need to think about different strategy for upgrading the configuration file in the 'web' mode.

I was thinking - we can store the existing security configurations in the database during upgrade process in 'web' mode.