Customer Password - Sha1 + hash vs password_hash

After reviewing and testing OC4, We noticed that for the customer passwords there is no fallback.
This means that any customer password from the previous version won't work.
So if you upgrade to the latest version the customer will need to go back and reset his password.
This way it will be hashed correctly.

OC3 : $this->db->escape(sha1($salt . sha1($salt . sha1($data['password']))))
OC4 : $this->db->escape(password_hash(html_entity_decode($data['password'], ENT_QUOTES, 'UTF-8'), PASSWORD_DEFAULT))

Any idea if we could do a fallback so that customer could eventually change his password but still login at least for the first time on oc4 ?

Just to mention it, upgrading from an older OC Version to OC v.4.x is not really recommendable.

That we know !

Clean install ... imported data ...
Also tried the upgrade process ...

Still, nothing seems to be planned for password updates.
This means that people won't migrate.
Backward compatibility should at least be implemented for customer passwords and admin passwords.

Guess we will see ...

Looks to be code there to allow and update old passwords. Where are you looking?
https://github.com/opencart/opencart/bl ... hp#L60-L68

Didn't see that one ... Thanks I'll investigate !

I reimported manually the customer table from OC3 to OC4 and it works.
You are totally right the fallback is there. I'm now wondering if it's the upgrade that cleared the customer salt from the table.
I'm going to test and post the results here.