OpenCart

Migrate customers table from MijoShop to OpenCart 3

When we migrate customers from MijoShop to OpenCart there is a little problem: the methods to hash passwords are different and thus when our customers try to login  the passwords do not match.

In this post I will show you how to migrate and fix the problem.

Understanding the problem

OpenCart uses SHA1 and a random salt to store the password, but MijoShop uses different methods depending of the Joomla version. Sometimes it uses password_hash methods, I mean, bcrypt.

So we only have to fix it on the login. First we check if the password (hashed) contains the string $P$ or $2; the second one tell us that it was hashed with bcrypt.

In case it was hashed with SHA1 (OpenCart method), the hashed password will not contain any of these strings and then we leave OpenCart handle the login as usually.

But if the hash contains one of those strings, we check if it matches with two algorithms.

At the end, if the password matches in one of the three ways, we allow the user to login.

Code to fix migration from MijoShop to OpenCart

Note: remember that all of these modifications could be inside a ocmod/vqmod modification, here I’m just showing what to edit.

We must edit the file called customer.php, it’s located on system/library/cart/customer.php. In that file we will:

  1. Add a class called PasswordHash, obtained from Joomla source code
  2. Add a method called joomla_check to the Customer class, this will check the password hash and figure out which algoritmh was used.
  3. Modify the login method to call the joomla_check

Thanks to this forum thread I could figure out how to make OpenCart compatible with MijoShop. First we need the class that Joomla uses, and it’s as follow:

<?php
class PasswordHash {
 var $itoa64;
 var $iteration_count_log2;
 var $portable_hashes;
 var $random_state;

 function __construct($iteration_count_log2, $portable_hashes)
 {
  $this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';

  if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31)
   $iteration_count_log2 = 8;
  $this->iteration_count_log2 = $iteration_count_log2;

  $this->portable_hashes = $portable_hashes;

  $this->random_state = microtime();
  if (function_exists('getmypid'))
   $this->random_state .= getmypid();
 }

 function PasswordHash($iteration_count_log2, $portable_hashes)
 {
  self::__construct($iteration_count_log2, $portable_hashes);
 }

 private function get_random_bytes($count)
 {
  $output = '';
  if (@is_readable('/dev/urandom') &&
      ($fh = @fopen('/dev/urandom', 'rb'))) {
   $output = fread($fh, $count);
   fclose($fh);
  }

  if (strlen($output) < $count) {
   $output = '';
   for ($i = 0; $i < $count; $i += 16) {
    $this->random_state =
        md5(microtime() . $this->random_state);
    $output .= md5($this->random_state, TRUE);
   }
   $output = substr($output, 0, $count);
  }

  return $output;
 }

 private function encode64($input, $count)
 {
  $output = '';
  $i = 0;
  do {
   $value = ord($input[$i++]);
   $output .= $this->itoa64[$value & 0x3f];
   if ($i < $count)
    $value |= ord($input[$i]) << 8;
   $output .= $this->itoa64[($value >> 6) & 0x3f];
   if ($i++ >= $count)
    break;
   if ($i < $count)
    $value |= ord($input[$i]) << 16;
   $output .= $this->itoa64[($value >> 12) & 0x3f];
   if ($i++ >= $count)
    break;
   $output .= $this->itoa64[($value >> 18) & 0x3f];
  } while ($i < $count);

  return $output;
 }

 private function gensalt_private($input)
 {
  $output = '$P$';
  $output .= $this->itoa64[min($this->iteration_count_log2 +
   ((PHP_VERSION >= '5') ? 5 : 3), 30)];
  $output .= $this->encode64($input, 6);

  return $output;
 }

 private function crypt_private($password, $setting)
 {
  $output = '*0';
  if (substr($setting, 0, 2) === $output)
   $output = '*1';

  $id = substr($setting, 0, 3);
  # We use "$P$", phpBB3 uses "$H$" for the same thing
  if ($id !== '$P$' && $id !== '$H$')
   return $output;

  $count_log2 = strpos($this->itoa64, $setting[3]);
  if ($count_log2 < 7 || $count_log2 > 30)
   return $output;

  $count = 1 << $count_log2;

  $salt = substr($setting, 4, 8);
  if (strlen($salt) !== 8)
   return $output;

  # We were kind of forced to use MD5 here since it's the only
  # cryptographic primitive that was available in all versions
  # of PHP in use.  To implement our own low-level crypto in PHP
  # would have resulted in much worse performance and
  # consequently in lower iteration counts and hashes that are
  # quicker to crack (by non-PHP code).
  $hash = md5($salt . $password, TRUE);
  do {
   $hash = md5($hash . $password, TRUE);
  } while (--$count);

  $output = substr($setting, 0, 12);
  $output .= $this->encode64($hash, 16);

  return $output;
 }

 private function gensalt_blowfish($input)
 {
  # This one needs to use a different order of characters and a
  # different encoding scheme from the one in encode64() above.
  # We care because the last character in our encoded string will
  # only represent 2 bits.  While two known implementations of
  # bcrypt will happily accept and correct a salt string which
  # has the 4 unused bits set to non-zero, we do not want to take
  # chances and we also do not want to waste an additional byte
  # of entropy.
  $itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';

  $output = '$2a$';
  $output .= chr(ord('0') + $this->iteration_count_log2 / 10);
  $output .= chr(ord('0') + $this->iteration_count_log2 % 10);
  $output .= '$';

  $i = 0;
  do {
   $c1 = ord($input[$i++]);
   $output .= $itoa64[$c1 >> 2];
   $c1 = ($c1 & 0x03) << 4;
   if ($i >= 16) {
    $output .= $itoa64[$c1];
    break;
   }

   $c2 = ord($input[$i++]);
   $c1 |= $c2 >> 4;
   $output .= $itoa64[$c1];
   $c1 = ($c2 & 0x0f) << 2;

   $c2 = ord($input[$i++]);
   $c1 |= $c2 >> 6;
   $output .= $itoa64[$c1];
   $output .= $itoa64[$c2 & 0x3f];
  } while (1);

  return $output;
 }

 public function HashPassword($password)
 {
  $random = '';

  if (CRYPT_BLOWFISH === 1 && !$this->portable_hashes) {
   $random = $this->get_random_bytes(16);
   $hash =
       crypt($password, $this->gensalt_blowfish($random));
   if (strlen($hash) === 60)
    return $hash;
  }

  if (strlen($random) < 6)
   $random = $this->get_random_bytes(6);
  $hash =
      $this->crypt_private($password,
      $this->gensalt_private($random));
  if (strlen($hash) === 34)
   return $hash;

  # Returning '*' on error is safe here, but would _not_ be safe
  # in a crypt(3)-like function used _both_ for generating new
  # hashes and for validating passwords against existing hashes.
  return '*';
 }

 public function CheckPassword($password, $stored_hash)
 {
  $hash = $this->crypt_private($password, $stored_hash);
  if ($hash[0] === '*')
   $hash = crypt($password, $stored_hash);

  # This is not constant-time.  In order to keep the code simple,
  # for timing safety we currently rely on the salts being
  # unpredictable, which they are at least in the non-fallback
  # cases (that is, when we use /dev/urandom and bcrypt).
  return $hash === $stored_hash;
 }
}

We must put it on an accesible place from customer.php (i put it inside the file):

Add PasswordHash to OpenCart customer class

The class is minimized but it’s above Customer class. Then we add the private function joomla_check inside the Customer class:

Add joomla check

Finally we modify the login method adding the logic to check if the passwords belong to joomla:

Modify login method on customer class – OpenCart

And we are ready. The final code looks like this:

<?php
namespace Cart;
class PasswordHash {
 var $itoa64;
 var $iteration_count_log2;
 var $portable_hashes;
 var $random_state;

 function __construct($iteration_count_log2, $portable_hashes)
 {
  $this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';

  if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31)
   $iteration_count_log2 = 8;
  $this->iteration_count_log2 = $iteration_count_log2;

  $this->portable_hashes = $portable_hashes;

  $this->random_state = microtime();
  if (function_exists('getmypid'))
   $this->random_state .= getmypid();
 }

 function PasswordHash($iteration_count_log2, $portable_hashes)
 {
  self::__construct($iteration_count_log2, $portable_hashes);
 }

 private function get_random_bytes($count)
 {
  $output = '';
  if (@is_readable('/dev/urandom') &&
      ($fh = @fopen('/dev/urandom', 'rb'))) {
   $output = fread($fh, $count);
   fclose($fh);
  }

  if (strlen($output) < $count) {
   $output = '';
   for ($i = 0; $i < $count; $i += 16) {
    $this->random_state =
        md5(microtime() . $this->random_state);
    $output .= md5($this->random_state, TRUE);
   }
   $output = substr($output, 0, $count);
  }

  return $output;
 }

 private function encode64($input, $count)
 {
  $output = '';
  $i = 0;
  do {
   $value = ord($input[$i++]);
   $output .= $this->itoa64[$value & 0x3f];
   if ($i < $count)
    $value |= ord($input[$i]) << 8;
   $output .= $this->itoa64[($value >> 6) & 0x3f];
   if ($i++ >= $count)
    break;
   if ($i < $count)
    $value |= ord($input[$i]) << 16;
   $output .= $this->itoa64[($value >> 12) & 0x3f];
   if ($i++ >= $count)
    break;
   $output .= $this->itoa64[($value >> 18) & 0x3f];
  } while ($i < $count);

  return $output;
 }

 private function gensalt_private($input)
 {
  $output = '$P$';
  $output .= $this->itoa64[min($this->iteration_count_log2 +
   ((PHP_VERSION >= '5') ? 5 : 3), 30)];
  $output .= $this->encode64($input, 6);

  return $output;
 }

 private function crypt_private($password, $setting)
 {
  $output = '*0';
  if (substr($setting, 0, 2) === $output)
   $output = '*1';

  $id = substr($setting, 0, 3);
  # We use "$P$", phpBB3 uses "$H$" for the same thing
  if ($id !== '$P$' && $id !== '$H$')
   return $output;

  $count_log2 = strpos($this->itoa64, $setting[3]);
  if ($count_log2 < 7 || $count_log2 > 30)
   return $output;

  $count = 1 << $count_log2;

  $salt = substr($setting, 4, 8);
  if (strlen($salt) !== 8)
   return $output;

  # We were kind of forced to use MD5 here since it's the only
  # cryptographic primitive that was available in all versions
  # of PHP in use.  To implement our own low-level crypto in PHP
  # would have resulted in much worse performance and
  # consequently in lower iteration counts and hashes that are
  # quicker to crack (by non-PHP code).
  $hash = md5($salt . $password, TRUE);
  do {
   $hash = md5($hash . $password, TRUE);
  } while (--$count);

  $output = substr($setting, 0, 12);
  $output .= $this->encode64($hash, 16);

  return $output;
 }

 private function gensalt_blowfish($input)
 {
  # This one needs to use a different order of characters and a
  # different encoding scheme from the one in encode64() above.
  # We care because the last character in our encoded string will
  # only represent 2 bits.  While two known implementations of
  # bcrypt will happily accept and correct a salt string which
  # has the 4 unused bits set to non-zero, we do not want to take
  # chances and we also do not want to waste an additional byte
  # of entropy.
  $itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';

  $output = '$2a$';
  $output .= chr(ord('0') + $this->iteration_count_log2 / 10);
  $output .= chr(ord('0') + $this->iteration_count_log2 % 10);
  $output .= '$';

  $i = 0;
  do {
   $c1 = ord($input[$i++]);
   $output .= $itoa64[$c1 >> 2];
   $c1 = ($c1 & 0x03) << 4;
   if ($i >= 16) {
    $output .= $itoa64[$c1];
    break;
   }

   $c2 = ord($input[$i++]);
   $c1 |= $c2 >> 4;
   $output .= $itoa64[$c1];
   $c1 = ($c2 & 0x0f) << 2;

   $c2 = ord($input[$i++]);
   $c1 |= $c2 >> 6;
   $output .= $itoa64[$c1];
   $output .= $itoa64[$c2 & 0x3f];
  } while (1);

  return $output;
 }

 public function HashPassword($password)
 {
  $random = '';

  if (CRYPT_BLOWFISH === 1 && !$this->portable_hashes) {
   $random = $this->get_random_bytes(16);
   $hash =
       crypt($password, $this->gensalt_blowfish($random));
   if (strlen($hash) === 60)
    return $hash;
  }

  if (strlen($random) < 6)
   $random = $this->get_random_bytes(6);
  $hash =
      $this->crypt_private($password,
      $this->gensalt_private($random));
  if (strlen($hash) === 34)
   return $hash;

  # Returning '*' on error is safe here, but would _not_ be safe
  # in a crypt(3)-like function used _both_ for generating new
  # hashes and for validating passwords against existing hashes.
  return '*';
 }

 public function CheckPassword($password, $stored_hash)
 {
  $hash = $this->crypt_private($password, $stored_hash);
  if ($hash[0] === '*')
   $hash = crypt($password, $stored_hash);

  # This is not constant-time.  In order to keep the code simple,
  # for timing safety we currently rely on the salts being
  # unpredictable, which they are at least in the non-fallback
  # cases (that is, when we use /dev/urandom and bcrypt).
  return $hash === $stored_hash;
 }
}
class Customer {
 private $customer_id;
 private $firstname;
 private $lastname;
 private $customer_group_id;
 private $email;
 private $telephone;
 private $newsletter;
 private $address_id;

 public function __construct($registry) {
  $this->config = $registry->get('config');
  $this->db = $registry->get('db');
  $this->request = $registry->get('request');
  $this->session = $registry->get('session');

  if (isset($this->session->data['customer_id'])) {
   $customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE customer_id = '" . (int)$this->session->data['customer_id'] . "' AND status = '1'");

   if ($customer_query->num_rows) {
    $this->customer_id = $customer_query->row['customer_id'];
    $this->firstname = $customer_query->row['firstname'];
    $this->lastname = $customer_query->row['lastname'];
    $this->customer_group_id = $customer_query->row['customer_group_id'];
    $this->email = $customer_query->row['email'];
    $this->telephone = $customer_query->row['telephone'];
    $this->newsletter = $customer_query->row['newsletter'];
    $this->address_id = $customer_query->row['address_id'];

    $this->db->query("UPDATE " . DB_PREFIX . "customer SET language_id = '" . (int)$this->config->get('config_language_id') . "', ip = '" . $this->db->escape($this->request->server['REMOTE_ADDR']) . "' WHERE customer_id = '" . (int)$this->customer_id . "'");

    $query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer_ip WHERE customer_id = '" . (int)$this->session->data['customer_id'] . "' AND ip = '" . $this->db->escape($this->request->server['REMOTE_ADDR']) . "'");

    if (!$query->num_rows) {
     $this->db->query("INSERT INTO " . DB_PREFIX . "customer_ip SET customer_id = '" . (int)$this->session->data['customer_id'] . "', ip = '" . $this->db->escape($this->request->server['REMOTE_ADDR']) . "', date_added = NOW()");
    }
   } else {
    $this->logout();
   }
  }
 }

 private function joomla_check($password, $hash){
  if (strpos($hash, '$P$') === 0)
  {
   $phpass = new PasswordHash(10, true);
   return $phpass->CheckPassword($password, $hash);
  }
  elseif (strpos($hash, '$2') === 0)
  {
   return password_verify($password, $hash);
  } else {
   return false;
  }
 }

  public function login($email, $password, $override = false) {
  if ($override) {
   $customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE LOWER(email) = '" . $this->db->escape(utf8_strtolower($email)) . "' AND status = '1'");
  } else {
   $customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE LOWER(email) = '" . $this->db->escape(utf8_strtolower($email)) . "' AND (password = SHA1(CONCAT(salt, SHA1(CONCAT(salt, SHA1('" . $this->db->escape($password) . "'))))) OR password = '" . $this->db->escape(md5($password)) . "') AND status = '1'");
   if (!$customer_query->num_rows) {
    $customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE LOWER(email) = '" . $this->db->escape(utf8_strtolower($email)) . "' AND status = '1'");
    if ($customer_query->num_rows) {
     if (!$this->joomla_check($password, $customer_query->row['password'])){
      return false;
     }
    }     
   }
  }

  if ($customer_query->num_rows) {
   $this->session->data['customer_id'] = $customer_query->row['customer_id'];

   $this->customer_id = $customer_query->row['customer_id'];
   $this->firstname = $customer_query->row['firstname'];
   $this->lastname = $customer_query->row['lastname'];
   $this->customer_group_id = $customer_query->row['customer_group_id'];
   $this->email = $customer_query->row['email'];
   $this->telephone = $customer_query->row['telephone'];
   $this->newsletter = $customer_query->row['newsletter'];
   $this->address_id = $customer_query->row['address_id'];
  
   $this->db->query("UPDATE " . DB_PREFIX . "customer SET language_id = '" . (int)$this->config->get('config_language_id') . "', ip = '" . $this->db->escape($this->request->server['REMOTE_ADDR']) . "' WHERE customer_id = '" . (int)$this->customer_id . "'");

   return true;
  } else {
   return false;
  }
 }

 public function logout() {
  unset($this->session->data['customer_id']);

  $this->customer_id = '';
  $this->firstname = '';
  $this->lastname = '';
  $this->customer_group_id = '';
  $this->email = '';
  $this->telephone = '';
  $this->newsletter = '';
  $this->address_id = '';
 }

 public function isLogged() {
  return $this->customer_id;
 }

 public function getId() {
  return $this->customer_id;
 }

 public function getFirstName() {
  return $this->firstname;
 }

 public function getLastName() {
  return $this->lastname;
 }

 public function getGroupId() {
  return $this->customer_group_id;
 }

 public function getEmail() {
  return $this->email;
 }

 public function getTelephone() {
  return $this->telephone;
 }

 public function getNewsletter() {
  return $this->newsletter;
 }

 public function getAddressId() {
  return $this->address_id;
 }

 public function getBalance() {
  $query = $this->db->query("SELECT SUM(amount) AS total FROM " . DB_PREFIX . "customer_transaction WHERE customer_id = '" . (int)$this->customer_id . "'");

  return $query->row['total'];
 }

 public function getRewardPoints() {
  $query = $this->db->query("SELECT SUM(points) AS total FROM " . DB_PREFIX . "customer_reward WHERE customer_id = '" . (int)$this->customer_id . "'");

  return $query->row['total'];
 }
}

Bonus: database consideration

I don’t know how are you migrating but remember that the hashes from joomla take more space. You can alter your SQL table, I’m using MySQL so:

alter table oc_customer modify column pasword varchar(255) not null;

In my case the prefix is oc_ because I chose it when I Install OpenCart.

Conclusion

In this way we can allow old customers from MijoShop to login on OpenCart, and the advantage is that new users will be able to login as well; so all the passwords (olds and news) are checked according to the hash.

Here you can read more posts about OpenCart.


I am available for hiring if you need help! I can help you with your project or homework feel free to contact me.
If you liked the post, show your appreciation by sharing it, or making a donation

parzibyte

Freelancer programmer ready to work with you. Web, mobile and desktop applications. PHP, Java, Go, Python, JavaScript, Kotlin and more :) https://parzibyte.me/

Entradas recientes

Receipt designer for thermal printers – Free and open source

In the last months I have been working on a ticket designer to print on…

12 months hace

JavaScript: store and read files with the Origin Private File System

In this post you will learn how to use the Origin Private File System with…

1 year hace

JavaScript: download file with fetch

In this post you will learn how to download a file in the background using…

1 year hace

SQLite3 with vanilla JavaScript and OPFS – Hello world

In this post I will show you how to use SQLite3 directly in the web…

1 year hace

Python Thermal Printing: A Comprehensive Guide for Printing on Thermal Printers

In this tutorial, we'll explore how to effortlessly print receipts, invoices, and tickets on a…

1 year hace

Image printing on Thermal printer

When printing receipts on thermal printers (ESC POS) sometimes it is needed to print images…

1 year hace

Esta web usa cookies.