One of the functions of the registration web application I'm building for my servers allows a user to change their password through the application, but during my testing I've seen some really weird behavior: The new 'sha_pass_hash' gets updated to appropriately reflect the value the user chose for their new password, and it allows them to log into the web application fine, but from within the 3.3.5a client, their old password is the one that still authenticates them successfully.
At first I thought the old passwords were kept in memory somewhere, but I had power-cycled the VM running TrinityCore and the database and the behavior is persistent. My application doesn't store credentials in memory either, the most I do is serialize the 'username' and 'id' columns from 'auth.account' into a timed JWT that I use on my front-end for seamless navigation through the app without forcing the user to do basic HTTP authentication everytime an API endpoint is called.
I was also wondering if this had something to do with the 'sessionkey' columns, however I can't find any description in the documentation about what those hashes are and if it's safe to clear them.
Some code, for reference (The back-end for this is a REST API written in Python with Flask and Flask-SQLAlchemy):
SQLAlchemy model for the 'account' table
Authentication logic
The 'update password' function
One of the functions of the registration web application I'm building for my servers allows a user to change their password through the application, but during my testing I've seen some really weird behavior: The new 'sha_pass_hash' gets updated to appropriately reflect the value the user chose for their new password, and it allows them to log into the web application fine, but from within the 3.3.5a client, their old password is the one that still authenticates them successfully. At first I thought the old passwords were kept in memory somewhere, but I had power-cycled the VM running TrinityCore and the database and the behavior is persistent. My application doesn't store credentials in memory either, the most I do is serialize the 'username' and 'id' columns from 'auth.account' into a timed JWT that I use on my front-end for seamless navigation through the app without forcing the user to do basic HTTP authentication everytime an API endpoint is called. I was also wondering if this had something to do with the 'sessionkey' columns, however I can't find any description in the documentation about what those hashes are and if it's safe to clear them. Some code, for reference (The back-end for this is a REST API written in Python with Flask and Flask-SQLAlchemy): SQLAlchemy model for the 'account' table Authentication logic The 'update password' function