Reset passwords for user database when including External Authentication providers

Simon_Gabyshev · February 25, 2021, 11:09am

Hello!

As a small business, we were planning to move to Fauna DB and stumbled upon an authorization problem.

First I was planning to use 3rd party identity providers like Auth0 or AWS Cognito but at the moment we can’t afford a Team plan in order to have that feature. Luckily Fauna has their own Authorization functionality. We are planning to use that for web and mobile app, looks doable.

The current database is MySQL on WordPress. We are okay to reset passwords when we will announce the total redesign of our website. I don’t see any other way to seamlessly move users to the new platform. Maybe I missed something, would like to hear your opinions.

Eventually, if we will want to step up to the Team Plan and plug in a 3rd party identity provider do we need to reset passwords again?

databrecht · February 25, 2021, 3:49pm

I don’t see another way tbh, maybe someone else can chime in. In theory if you can decrypt the passwords in your MySQL database then you can feed them into Fauna but in many production systems we are unable to decrypt the passwords for good reasons. In that case I don’t see another way then to reset the passwords and ask the user to fill it in.

In that case, Fauna is not storing your users but Auth0 is. Which means that you indeed have to go through it again. In Fauna a password can not be retrieved. If you are confident that you can store them securely and find a way that makes sense to decrypt them you could opt to store them externally and verify the password outside of Fauna in this intermediate phase to ensure that you can easily switch to Auth0 afterwards (you can still make tokens directly after verifying the password instead of using Login()). In that case you are responsible for storing the passwords securely and verifying the passwords upon login.

Non ideal workaround 1: I don’t think you can get around the password reset but when moving to third-party auth, you could present it to users in a way that provides them benefit. In essence, you have legacy-auth users and third-party-auth users and give the user the choice to update when they would like to start using social sign on features in which case you redirect them through the password flow.

Non ideal workaround 2: When users log in, you have their password in the application itself. You could silently upgrade users once they log in in the legacy system.

Looking further, it seems that some services (such as Auth0) offer a way to import password hashes. I’m looking internally to options to make such a transition smoother in the future.

Simon_Gabyshev · February 26, 2021, 4:50am

Thanks a lot!

For those who are also looking for a solution for how to move users from WordPress to Fauna seamlessly, I think this might be a solution in case if you use choose AWS Cognito as an identity provider here.

databrecht · February 26, 2021, 6:07pm

We probably want to provide a hashed password import/export in the long run similar to what Auth0 seems to do (Bulk User Import Database Schema and Examples). I have opened an internal ticket with a feature request for that. Feel free to open a Feature request on the forum so users can vote on that.