Password hash mismatch after upgrade docker community server from 10.0.4 to 12.5

[tsaijian]

Hi all

• I am trying upgrade my docker community server from 10.0.4 to 12.5, everything work OK, but failed to login on the web. It showing invalid user name or password.
• Try access the container and find the s.pwdhash in web.sql.log did not match the pwdhash in the database (which store in database onlyoffice table core_usersecurity). So the web UI prompt login failed info.
• Has anyone experienced this problem? Please help and support, Thanks in advance!

[Carazyda]

Hello @tsaijian Please describe in more detail how you installed Onlyoffice and updated it? All portal users cannot log in? Have you tried resetting your password via email?

[tsaijian]

Hi @Carazyda Thanks for your response. Upgrade steps as below:

• Backup old mysql data using mysqldump in old mysql 5.7.37 docker container

• Setup a new mysql 8.0.29 docker container and restore the sql data

• Pull community server 12.5.2.1848, starting container with new mysql container and pick up all the data folder

• Seems like the password hash algorithm has changed in new version, the calculation result does not correspond to the database field. As a result, the login fails.

Things to check:
Q: All portal users cannot log in?
A：Yes

Q: Have you tried resetting your password via email?
A: After resetting password i can successfully login the community server.

Q: Check mysql data
A: Check some table in mysql 8.0.29, the sql table upgrade as expect, such as remove pwdhashsha512 column in onlyoffice.upgradev120.sql

[Carazyda]

Did you copy core.machinekey from version 10.0 into the new community server container? It is contained in configuration files, for example /var/www/onlyoffice/WebStudio/web.appsettings.config. I'm afraid that if you have lost it, the only way to reset your password is by email.

[tsaijian]

@Carazyda I checked old container and the new container, core.machinekey is same value. Is there any other info needed?

[tsaijian]

And from the length of pwdhash store in database, i guessing the old version is using base64 encode md5 string. Because the result length of base64 encode any type of sha algorithm is longer than base64 encode md5.

One of pwdhash store in old database:　yIUJb/sQ9PZQzkUC7nL7Vs3ED2QRwwJU63FGhYR0x0M=
(length equal to base64 md5)

The pwdhash update in new version:　dLat64t2EwmppdcZjG3u4bDzux/c70+n91REuwwVWSlDDQDvezQwwMnlJ306AiEwWzY9xyAIt46/S4+eN/gyvw==
(length equal to base64 sha256)

[Carazyda]

We examined our code and in version 12.0.0 we disabled password rewriting with a new hash. For the first step, you need to update version 10.0.4 to 11.6.0. After that, update to the current version 12.5.2.

[Carazyda]

It is also necessary for all users to be logged in to version 11.6.0 to rewrite the password hash.

[kovacs-andras]

Hi! The same happened with me, all my users had to reset their passwords.
But a password change sometimes couldn't hurt much.
But be careful, if you've enable(d) 2FA previously, it can make a logical problem with the password reset, I mean the users should reset their passwords twice.