Users can't reset password hashed with an unknown algorithm

[sedough]

Users can't reset password hashed with an unknown algorithm

Description

I migrated to FusionAuth from a homegrown system that used the "bcrypt" algorithm to hash passwords. I had a custom password hasher installed in FusionAuth for the transition period, but I removed it recently. The problem is that some of the users hadn't logged in for years, and FusionAuth isn't letting them reset their passwords.

My users see:
FusionAuth encountered an unexpected error. Please review the troubleshooting guide found in the documentation for assistance and the available support channels.

I got this exception in the logs:

2022-08-03 3:20:30.767 PM ERROR io.fusionauth.app.primeframework.error.ExceptionExceptionHandler - An unhandled exception was thrown
io.fusionauth.api.security.UnknownEncryptionSchemeException: Unknown scheme [sha256-bcrypt].
	at io.fusionauth.api.security.DefaultPasswordEncryptorLibrary.lookup(DefaultPasswordEncryptorLibrary.java:48)
	at io.fusionauth.api.service.connector.FusionAuthConnector.confirmPassword(FusionAuthConnector.java:82)
	at io.fusionauth.api.service.connector.FusionAuthConnector.authenticateUserPassword(FusionAuthConnector.java:76)
	at io.fusionauth.api.service.connector.FusionAuthConnector.authenticate(FusionAuthConnector.java:58)
	at io.fusionauth.api.service.authentication.DefaultAuthenticationService.authenticateUser(DefaultAuthenticationService.java:512)
	at io.fusionauth.api.service.authentication.DefaultAuthenticationService.authenticate(DefaultAuthenticationService.java:139)
	at io.fusionauth.app.action.api.LoginAction.lambda$post$1(LoginAction.java:136)
	at io.fusionauth.app.action.api.BaseLoginAction.callLogin(BaseLoginAction.java:175)
	at io.fusionauth.app.action.api.LoginAction.post(LoginAction.java:136)

I was able to work around the problem by logging into the the admin screen, manually setting their password, and requesting a password reset email

Affects versions

v1.36.8

Steps to reproduce

Steps to reproduce the behavior:

1. Import a new user with a custom password hashing algorithm
2. Remove support for that algorithm from FusionAuth
3. Have user try to reset password
4. See error

Expected behavior

A password reset doesn't depend on FusionAuth validating the user's old password, so it should just update the password using the new hashing algorithm.

Related

• Importing a hash longer than 255 characters will fail.  #1778

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

[mooreds]

Thanks, this sure looks like a bug. Appreciate the detailed repro steps!

[sedough]

Follow-up: I tried writing a script to reset all affected users, and I'm running into the same exception trying to call /api/users/change-password.

[robotdan]

I would say this is working as designed. If you use a custom password plugin, you cannot remove it until all users have been migrated.

We could be more defensive and allow a password change when the plugin no longer exists, but FusionAuth will never expect a plugin to be removed if you still have users that use that hash.

[mooreds]

I would say the bug is not handling this gracefully. Also, I'm not sure why FusionAuth needs to care about the password hashing plugin when trying to reset the password.

Regardless, if this is working as designed, we should:

• not throw an exception in the log
• document it