fixed passwords being saved in plaintext

kgOrdersServer/Source/Auth.ServiceImpl.pas

@@ -113,11 +113,18 @@ begin
   userState := CheckUser( user, password );
 
   if userState = 0 then
+  begin
     raise EXDataHttpUnauthorized.Create('Invalid username or password');
-  if userState = 1 then
+    logger.Log(1, 'Login Error: Invalid username or password');
+  end
+  else if userState = 1 then
+  begin
     raise EXDataHttpUnauthorized.Create('User does not exist!');
-  if userState = 2 then
+    logger.Log(1, 'Login Error: User does not exist!');
+  end
+  else if userState = 2 then
     raise EXDataHttpUnauthorized.Create('User not active!');
+    logger.Log(1, 'Login Error: User not active!');
 
   JWT := TJWT.Create;
   try
@@ -144,12 +151,11 @@ function TAuthService.CheckUser(const user, password: string): Integer;
 var
   userStr: string;
   SQL: string;
-  date_created: string;
+  name: string;
   checkString: string;
 begin
-  //authDB := TAuthDatabase.Create(nil);
   Result := 0;
-  //Logger.Log( 3, Format('AuthService.CheckUser - User: "%s"', [user]) );
+  Logger.Log(1, Format('AuthService.CheckUser - User: "%s"', [user]) );
   SQL := 'select * from users where USER_NAME = ' + QuotedStr(user);
   DoQuery(authDB.uq, SQL);
   if authDB.uq.IsEmpty then
@@ -160,9 +166,9 @@ begin
     Result := 2 // user is not active
   else
   begin
-    //date_created := authDB.uq.FieldByName('date_created').AsString;
-    //checkString := THashSHA2.GetHashString(date_created + password, THashSHA2.TSHA2Version.SHA512).ToUpper;
-    if password = authDB.uq.FieldByName('PASSWORD').AsString then
+    name := authDB.uq.FieldByName('NAME').AsString;
+    checkString := THashSHA2.GetHashString(name + password, THashSHA2.TSHA2Version.SHA512).ToUpper;
+    if authDB.uq.FieldByName('PASSWORD').AsString = checkString then
     begin
       userName := user;
       userFullName:= authDB.uq.FieldByName('NAME').AsString;;
@@ -173,8 +179,7 @@ begin
       userQBID := authDB.uq.FieldByName('QB_ID').AsString;
       userAccessType := authDB.uq.FieldByName('ACCESS_TYPE').AsString;
 
-      //Logger.Log( 3, Format('AuthDB.SetLoginAuditEntry: "%s"', [user]) );
-      //AuthDB.SetLoginAuditEntry( userStr );
+      Logger.Log(1, Format('AuthDB.SetLoginAuditEntry: "%s"', [user]) );
       Result := 3; // Succcess
     end
     else

kgOrdersServer/Source/Common.Config.pas

@@ -31,7 +31,7 @@ var
 implementation
 
 uses
-  Bcl.Json, System.SysUtils, System.IOUtils, Common.Logging;
+  Bcl.Json, System.SysUtils, System.IOUtils, Common.Logging, System.StrUtils;
 
 procedure LoadServerConfig;
 var
@@ -58,11 +58,11 @@ begin
     Logger.Log(1, '-- Config file not found.');
   end;
 
-  Logger.Log(1, '-------------------------------------------------------------');
-  Logger.Log(1, '-- serverConfig.url: ' + serverConfig.url);
-  Logger.Log(1, '-- serverConfig.adminPassword: ' + serverConfig.adminPassword);
-  Logger.Log(1, '-- serverConfig.jwtTokenSecret: ' + serverConfig.jwtTokenSecret);
-  Logger.Log(1, '-- serverConfig.webAppFolder: ' + serverConfig.webAppFolder);
+  Logger.Log(1, '--- Server Config Values ---');
+  Logger.Log(1, '-- url: ' + serverConfig.url + IfThen(serverConfig.url = defaultServerUrl, ' [default]', ' [from config]'));
+  Logger.Log(1, '-- adminPassword: ' + serverConfig.adminPassword + IfThen(serverConfig.adminPassword = 'whatisthisusedfor', ' [default]', ' [from config]'));
+  Logger.Log(1, '-- jwtTokenSecret: ' + serverConfig.jwtTokenSecret + IfThen(serverConfig.jwtTokenSecret = 'super_secret0123super_secret4567', ' [default]', ' [from config]'));
+  Logger.Log(1, '-- webAppFolder: ' + serverConfig.webAppFolder + IfThen(serverConfig.webAppFolder = 'static', ' [default]', ' [from config]'));
   Logger.Log(1, '-- serverConfig.reportsFolder: ' + serverConfig.reportsFolder);
   Logger.Log(1, '--LoadServerConfig - end');
 end;

kgOrdersServer/Source/qbAPI.dfm

@@ -150,6 +150,15 @@ object fQB: TfQB
       TabOrder = 11
       OnClick = Button12Click
     end
+    object Button15: TButton
+      Left = 646
+      Top = 32
+      Width = 137
+      Height = 25
+      Caption = 'Update All Passwords'
+      TabOrder = 12
+      OnClick = Button15Click
+    end
   end
   object AdvPanel2: TAdvPanel
     Left = 0

kgOrdersServer/Source/qbAPI.pas

@@ -132,6 +132,7 @@ type
     Button14: TButton;
     AdvPanel1: TAdvPanel;
     asgData: TAdvStringGrid;
+    Button15: TButton;
     procedure Button1Click(Sender: TObject);
     procedure FormCreate(Sender: TObject);
     procedure Button2Click(Sender: TObject);
@@ -150,6 +151,7 @@ type
     procedure Button12Click(Sender: TObject);
     procedure Button13Click(Sender: TObject);
     procedure Button14Click(Sender: TObject);
+    procedure Button15Click(Sender: TObject);
   private
     { Private declarations }
     strict private
@@ -386,6 +388,27 @@ begin
   Memo2.Clear;
 end;
 
+procedure TfQB.Button15Click(Sender: TObject);
+var
+  SQL, name, password, newPassword: string;
+begin
+  Memo1.Clear;
+  Memo1.Lines.Add('Updating all passwords to know longer store passwords in plain text');
+  SQL := 'Select * from users';
+  doQuery(ordersDB.UniQuery1, SQL);
+  while (not ordersDB.UniQuery1.Eof) do
+  begin
+    ordersDB.UniQuery1.Edit;
+    name := ordersDB.UniQuery1.FieldByName('NAME').AsString;
+    password := ordersDB.UniQuery1.FieldByName('PASSWORD').AsString;
+    newPassword := THashSHA2.GetHashString(name + password, THashSHA2.TSHA2Version.SHA512).ToUpper;
+    ordersDB.UniQuery1.FieldByName('PASSWORD').AsString := newPassword;
+    ordersDB.UniQuery1.Post;
+    ordersDB.UniQuery1.Next;
+  end;
+  Memo1.Lines.Add('Finished updating passwords');
+end;
+
 procedure TfQB.DeleteCustomers();
 var
   SQL: string;

kgOrdersServer/kgOrdersServer.ini

@@ -2,10 +2,10 @@
 MemoLogLevel=3
 FileLogLevel=5
 webClientVersion=0.9.7
-LogFileNum=961
+LogFileNum=972
 
 [Database]
-Server=192.168.159.155
+Server=192.168.159.162
 --Server=192.168.102.130
 --Server=192.168.75.133
 Database=kg_order_entry