Problem with Java ReplaceTokens with HashString

Hi all, i have a reset password flow. In my flow i generate a password (Common Java Call with argument> Lengt = 5). After that action i change the password (in entiteit Medewerker) and look for a e-mail template. When the e-mail template is found an 'Call Replace e-mail template tokens' will start. The customer is allowed to set the e-mail template (on the front side of the Mendix Application) and can custom their own template (text, subject, tokens e.t.c.). 1 token is > password. The problem is that everything works fine, except the password. After generate password ther is a new password with lenght 5. > A1!je (for example). After the 'replace token' action the password has a lenght of more dan 40. {SSHA256}9VnD6FSxyZmKniQFcoL3ZV1E3xUgamUnOjhW8vzC9lP0Vuc9IdvFGQ== I think the problem is the java call replace tokens. My assumption is that an 'hash string' field is nog possible to replace in an Java action. Is that correct? How can i solve this problem??? * Search the parameter text for the token fromt the parameter TokenObject, replace the value with a value from the parameter ValueObject. */ public class ReplaceToken extends UserAction<String> { private IMendixObject __TokenObject; private mxmodelreflection.proxies.Token TokenObject; private IMendixObject ValueObject; private String Text; public ReplaceToken(IMendixObject TokenObject, IMendixObject ValueObject, String Text) { super(); this.__TokenObject = TokenObject; this.ValueObject = ValueObject; this.Text = Text; } @Override public String executeAction() throws Exception { this.TokenObject = __TokenObject == null ? null : mxmodelreflection.proxies.Token.initialize(this.getContext(), __TokenObject); // BEGIN USER CODE return TokenReplacer.replaceToken(this.getContext(), this.Text, this.__TokenObject, this.ValueObject); // END USER CODE } /** * Returns a string representation of this action */ @Override public String toString() { return "ReplaceToken"; } // BEGIN EXTRA CODE // END EXTRA CODE
1 answers

A password is stored as a hash-value. If you want to send a password to a user, store in a separate field. Be sure to clear that field after sending the password, otherwise you system will be insecure.

The hash is calculated by a one-way-algorithm which can not be reversed (at the moment). When you log in, the hash values are compared.

In other words: you can compute the hash-value from the password but you can not create a password from a hash-value.