I have a tool that might change the password of a MarkLogic user. But I would like to avoid executing the update, if I can determine that the given password matches the current password of the given user.
Is there an algorithm that I can use to see if a string matches a given user password?
Hi,
The passwords are stored into Security DB, in collection “http://marklogic.com/xdmp/users”.
In these documents, the digest-password element value is md5(username+":"+realm+":"+password)
See http://en.wikipedia.org/wiki/Digest_access_authentication
Assuming you have a user “user” with password “password” and set the realm as “public” when installing marklogic, you can check with the following :
(:XQuery:)
xdmp:exists(
cts:search(fn:collection("http://marklogic.com/xdmp/users"),
cts:and-query((
cts:element-value-query(fn:QName("http://marklogic.com/xdmp/security", "user-name"), "user"),
cts:element-value-query(fn:QName("http://marklogic.com/xdmp/security", "digest-password"), xdmp:md5("user:public:password"))
))))
//JavaScript
cts.exists(
cts.andQuery([
cts.collectionQuery("http://marklogic.com/xdmp/users"),
cts.elementValueQuery(fn.QName("http://marklogic.com/xdmp/security", "user-name"), "user"),
cts.elementValueQuery(fn.QName("http://marklogic.com/xdmp/security", "digest-password"), xdmp.md5('user:public:password'))
]))
Nice, thank you Laurent!
And because it uses MD5, I should even be able to send the hash to a client-side script, which can apply the same algorithm itself, without having to send the actual password to MarkLogic to make the check there.
So no password flowing through the pipe, only hashes, which is a Good Thing©