Do not update passwords if nothing changed #33485
Conversation
juliusknorr
requested review from
nickvergessen,
ChristophWurst,
a team,
PVince81,
skjnldsv and
come-nc
and removed request for
a team
|
I'll skip adding a transaction as the 99% case should be that no update is performed at all (as the password didn't change). Furthermore preliminary filtering is also not very suitable, as it would require filter by the password field. We could add a debounce to only check and update the passwords very n minutes, but that may then lead to outdated tokens that could not reliably be updated with the most recent password. |
Signed-off-by: Julius Härtl <jus@bitgrid.net>
juliusknorr
force-pushed
the
bugfix/noid/authtoken-duplicate-update
branch
from
a71e9f3 to
9d1ec58
Compare
|
Rebased and squashed, tests seemed to be happy already. |
juliusknorr
added
4. to release
|
/backport to stable24 |
|
/backport to stable23 |
|
Many thanks! ... I just started debugging, why my MySQL binlogs are so big ... and I saw all those |
|
/backport to stable22 |
|
Has anyone verified if this has any effect? I just installed 23.0.8 and still see all the user's oc_authtokens being updated on basic auth requests. My theory: this patch compares the saved encrypted password with the newly generated encrypted password. What it does not take into account is that openssl_public_encrypt outputs a different ciphertext every time, even on identical input values. see https://stackoverflow.com/a/2980121 for an explanation. |
|
Thanks for letting us know. I'm unsure on why this didn't show up in my tests, as I managed to not get the updates on my dev instance and also did profiling for comparison, but with a simple php example I can confirm that we need to check the clear text password for that. I'll have another look into that. |
|
or the hashed password. Hashes are stable too (if the salt is identical, of course) |
This would avoid updating the password on all authtokens if nothing has changed.
It may especially result in heavy requests when using the user password to authenticate through basic auth, where then every request would trigger an update of all tokens.
Todo