Skip to content

#4653 There is no method to compare old and current password since SecretTexts cannot be compared in Cloud#4654

Merged
JesperSchulz merged 3 commits into
microsoft:mainfrom
bc4all:main
Sep 11, 2025
Merged

#4653 There is no method to compare old and current password since SecretTexts cannot be compared in Cloud#4654
JesperSchulz merged 3 commits into
microsoft:mainfrom
bc4all:main

Conversation

@bc4all

@bc4all bc4all commented Sep 2, 2025

Copy link
Copy Markdown
Contributor

Summary

Adding the function to compare secret texts for Password module. The new function is needed to make sure that the two passwords match. There is already function ValidateOldPasswordMatch in Implementation however it cannot be used since:

  1. Name is not correct
  2. It is not used in any facade codeunit
  3. it exists if the input is empty

Therefore for clarity the similar function has been added with the proper name. Also to facade codeunit the function has been added to be able to run it by developers.

Work Item(s) #4653

Fixes #4653

Fixes AB#602113

@bc4all

bc4all commented Sep 2, 2025

Copy link
Copy Markdown
Contributor Author

@microsoft-github-policy-service agree

@JesperSchulz JesperSchulz self-assigned this Sep 3, 2025
@JesperSchulz JesperSchulz added the Integration GitHub request for Integration area label Sep 3, 2025
@JesperSchulz

Copy link
Copy Markdown
Contributor

The PR did not pass the security review 🥺 @darjoo might be able to elaborate.

@bc4all

bc4all commented Sep 4, 2025

Copy link
Copy Markdown
Contributor Author

@JesperSchulz @darjoo thank you for info but I need more info since the MS broke our code (an therefore whole solution that is used by customers). Moreover there is no alternative ways to do it in proper way just by bypassing MS system modules:

  1. The code is exact copy of code you already use in the module - check functions ValidateOldPasswordMatch and ValidateNewPasswordUniqueness. How this procedure that is propose does not pass security validation and Microsoft code pass it?
  2. How it is possible that nondebuggable code that is marked as onPrem only (run only on MS server) is not secure?
  3. If this code break the security how developers can in a secure way compare SecretTexts? Password is only one thing but there are other partners also waiting on this.
  4. If there are no ways to do it why you remove functions that cannot be replaced by other way that coping whole module?

I am really looking forward to get your answer on this since I need to take an action

@bc4all

bc4all commented Sep 4, 2025

Copy link
Copy Markdown
Contributor Author

BTW: Without this change the whole module is rather useless in the system (and this is not a comment - but rather fact or question so it would help to solve the issue with the process).

If I am missing something and having this scenario:

  1. User use Password Dialog to create new password
  2. Developer get a SecretText from the function OpenSecretPasswordDialog(true, true)
  3. Developer store the password somewhere (example - islolated storege) - most likely with hash etc.
  4. User run function that requires confirm the password (there are reasons why someone use passwords after all)
  5. Developer runs the function OpenSecretPasswordDialog(false,false) and get the password typed by user as SecretText
  6. Developer needs to compare if passwords match

How to accomplish in current state point 6?
As mentioned before:

  1. AL does not allow to compare SecretTexts
  2. AL Cloud does not allow unwrap() on SecretTexts
  3. There is no public function that allow to compare SecretTexts on server side

The problem is that OpenSecretPasswordDialog in 26 returned texts now secret texts - which in general of course make sense but without any option to compare SecretTexts it is breaking change

@StefanMaron StefanMaron left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I dont see any issues with this

@JesperSchulz

JesperSchulz commented Sep 5, 2025

Copy link
Copy Markdown
Contributor

I don't know any details yet unfortunately, but I will try to get answers to your questions! I should have waited to post the rejection until I know the background. Was a bit too quick there.
But then again, now we have more context, which is helpful. We'll be in touch!

@JesperSchulz

JesperSchulz commented Sep 9, 2025

Copy link
Copy Markdown
Contributor

@bc4all, your case has been reopened based on the detailed background you provided, which was most helpful. We're looking into options to unblock you.
When do you need those changes. Are these a must for 27.0, or can you wait until 27.1? Just so that I understand the urgency of this request?

@bc4all

bc4all commented Sep 9, 2025

Copy link
Copy Markdown
Contributor Author

In the worst case scenario we can wait until 27.1 I know how you all are busy right now before release.

@dannoe

dannoe commented Sep 9, 2025

Copy link
Copy Markdown
Contributor

Maybe it was rejected because we can bruteforce SecretTexts with this method.

@JesperSchulz

Copy link
Copy Markdown
Contributor

Maybe it was rejected because we can bruteforce SecretTexts with this method.

That was indeed one of the points that was brought up, but after thorough discussions we've landed on the conclusion that the risk of abuse is minimal, while the benefits of having this capability are clear. The decision has hence been revised and we now got security clearance to move forward with this PR 🥳

@JesperSchulz JesperSchulz added the Linked Issue is linked to a Azure Boards work item label Sep 10, 2025
@github-actions github-actions Bot added this to the Version 28.0 milestone Sep 10, 2025

@darjoo darjoo left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rediscussed internally, approving.

@JesperSchulz JesperSchulz merged commit d7a615c into microsoft:main Sep 11, 2025
26 of 28 checks passed
JesperSchulz pushed a commit that referenced this pull request Sep 11, 2025
…cretTexts cannot be compared in Cloud (#4654)

#### Summary 
Adding the function to compare secret texts for Password module. The new
function is needed to make sure that the two passwords match. There is
already function ValidateOldPasswordMatch in Implementation however it
cannot be used since:
1. Name is not correct
2. It is not used in any facade codeunit
3. it exists if the input is empty

Therefore for clarity the similar function has been added with the
proper name. Also to facade codeunit the function has been added to be
able to run it by developers.

#### Work Item(s) #4653

Fixes #4653


Fixes
[AB#602113](https://dynamicssmb2.visualstudio.com/1fcb79e7-ab07-432a-a3c6-6cf5a88ba4a5/_workitems/edit/602113)
JesperSchulz pushed a commit that referenced this pull request Sep 11, 2025
…cretTexts cannot be compared in Cloud (#4654)

#### Summary 
Adding the function to compare secret texts for Password module. The new
function is needed to make sure that the two passwords match. There is
already function ValidateOldPasswordMatch in Implementation however it
cannot be used since:
1. Name is not correct
2. It is not used in any facade codeunit
3. it exists if the input is empty

Therefore for clarity the similar function has been added with the
proper name. Also to facade codeunit the function has been added to be
able to run it by developers.

#### Work Item(s) #4653

Fixes #4653


Fixes
[AB#602113](https://dynamicssmb2.visualstudio.com/1fcb79e7-ab07-432a-a3c6-6cf5a88ba4a5/_workitems/edit/602113)
JesperSchulz added a commit that referenced this pull request Sep 11, 2025
…word since SecretTexts cannot be compared in Cloud - missing capability in 27 compared to 26! - Copy (#4752)

<!-- Thank you for submitting a Pull Request. If you're new to
contributing to BCApps please read our pull request guideline below
* https://github.com/microsoft/BCApps/Contributing.md
-->
#### Summary <!-- Provide a general summary of your changes -->
Backport of #4654

#### Work Item(s) <!-- Add the issue number here after the #. The issue
needs to be open and approved. Submitting PRs with no linked issues or
unapproved issues is highly discouraged. -->
Fixes
[AB#602448](https://dynamicssmb2.visualstudio.com/1fcb79e7-ab07-432a-a3c6-6cf5a88ba4a5/_workitems/edit/602448)

Co-authored-by: bc4all <104026807+bc4all@users.noreply.github.com>
JesperSchulz added a commit that referenced this pull request Sep 11, 2025
…word since SecretTexts cannot be compared in Cloud - missing capability in 27 compared to 26! (#4751)

<!-- Thank you for submitting a Pull Request. If you're new to
contributing to BCApps please read our pull request guideline below
* https://github.com/microsoft/BCApps/Contributing.md
-->
#### Summary <!-- Provide a general summary of your changes -->
Backport of #4654

#### Work Item(s) <!-- Add the issue number here after the #. The issue
needs to be open and approved. Submitting PRs with no linked issues or
unapproved issues is highly discouraged. -->
Fixes
[AB#602446](https://dynamicssmb2.visualstudio.com/1fcb79e7-ab07-432a-a3c6-6cf5a88ba4a5/_workitems/edit/602446)

Co-authored-by: bc4all <104026807+bc4all@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

AL: System Application From Fork Pull request is coming from a fork Integration GitHub request for Integration area Linked Issue is linked to a Azure Boards work item

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug]: There is no method to compare old and current password since SecretTexts cannot be compared in Cloud

5 participants