SMTP Email Password Lost in Craft 3.1 Update

[putyourlightson]

I'm sure this has come up somewhere already but I couldn't find it in any issues besides #1977 (comment).

What I've come across in helping others out is that after updating from Craft 3.0.x to 3.1.3, their SMTP email password was converted to a base64 encoded string, that read something like:

base64_encoded:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

This appears to be related to the password field being changed to an autosuggest field but it has been quietly breaking email sending on sites where the password has not been resaved since the update.

[brandonkelly]

Email passwords were never (supposed to be) stored as base64-encoded strings in the DB, only plain text. But this is the second time someone has had this issue. We can’t reproduce though. Any chance you can send your prep-3.3-update database backup to support@craftcms.com? (It’ll be the first backup in storage/backups/ that ends in 3.1.X.sql.)

[putyourlightson]

I did some investigating and this appears to reproducable as follows:

1. Have Craft 3.0.37 installed.
2. Save SMTP email settings with username and password.
3. Revisit the email settings page in Chrome v71 – the password field is obfuscated.
4. Save the email settings without making any changes.

The resulting value that is stored in the systemsettings table is:

{"fromEmail":"me@email.com","fromName":"Craft","template":null,"transportType":"craft\\mail\\transportadapters\\Smtp","transportSettings":{"host":"my.host.name","port":"25","useAuthentication":"1","username":"myusername","password":"base64:Y3J5cHQ6rKrqDhIY28Y9gkVDTM9AdDhlOTc0NWQxYWIxM2M0NTk0NmI0MjA4OWE1MGVjZjM3MjdiMjRhODJlZDY1ODNhYzIyZjgzZTdkYzY4Y2ZlNGT7FiLEAoCnpHwbzMLHcplslBjvmSUYIKESrh8aAl102A==","encryptionMethod":"","timeout":"10"}}

So Chrome's password field is base64 encoding the password and the SMTP transport adapter was decoding it:

cms/src/mail/transportadapters/Smtp.php

Line 84 in 0173df7

$this->password = StringHelper::decdec($this->password);

But because the password field is a plaintext field in 3.1, the decoding is not being applied any more:

cms/src/mail/transportadapters/Smtp.php

Line 151 in 51b8140

$config['password'] = Craft::parseEnv($this->password);

I'm not sure what the best solution is, perhaps decoding the tansport adaptor password setting in a migration?

[brandonkelly]

Thanks! Steps 3 and 4 were missing when I first tried to reproduce this. We never intended for Craft 3.0 to store encrypted passwords in the database; it was meant to be a UI-only thing.

Will write a 3.1 migration that updates email settings in project.yaml to fix this.

[putyourlightson]

Great, thanks.

[danjrichardson]

So I've just had the same issue with a site that was on Craft 3.0.28, migrating to the latest 3.7.37.
Doing a direct upgrade failed various times due to migration scripts not running correctly, but the email password was still base64 encoded within the systemsettings table and a null value in the project config.

Just to share my super quick dirty fix I utilised the existing Module.php file init method to just echo out the decoded password:

use craft\helpers\StringHelper;

...

$password = "base64:this_is_the_encrypted_value_from_the_systemsettings_table";
try {
    $decPassword = StringHelper::decdec($password);
    echo $decPassword;
} catch (\Throwable $e) {
    echo $e->getMessage();
    return;
}