Authenticating an external app against ExpressionEngine's member data

Hi there!

Does anyone know if EE 2.x does weird things to password hashes other than combining the salt and password and hashing that with an available SHA algorithm?

I’m updating some Ruby I wrote for EE 1.x which replicates ExpressionEngine’s username and password authentication, as I’d like to use my member database to authenticate users on an IRC server.

In EE 1.x, this was pretty simple: grab the user’s password hash from exp_members and compare it to the SHA-1 hex digest of their input.

EE 2.x has introduced environment-sensitive hash algorithms and password salts—both good things! And the code in system/expressionengine/libraries/Auth.php (as of ExpressionEngine 2.2.2) seems simple enough:

1. Fetch exp_members.salt and exp_members.password for the user
2. Choose a hash algorithm based on the byte length of exp_members.password (hopefully this is 128 bytes, which corresponds to SHA-512!)
3. Concatenate exp_members.salt and user’s password input (in that order, e.g. $salt.$password)
4. Hash the resulting string using the algorithm chosen in step two
5. Compare the hashed string and exp_members.password

However, something’s catching me out. My ExpressionEngine install sports 128-byte password hashes in exp_members, which points to ExpressionEngine using SHA-512 to hash things up. However, when I do the following in Ruby:

require "digest/sha2"
Digest::SHA512.hexdigest(salt_from_database + user_password_input)

…the resulting hex digest is definitely not what’s in exp_members.password! Does anyone see anything obvious I’m missing? Is EE faking me out and using some other code entirely for generating password hashes? Maybe it’s truncating password length somewhere?

Any clues would be fantastic! Thanks! 😊