Bcrypt now is used for passwords
This commit is contained in:
parent
235121a637
commit
0b862f8a4e
|
|
@ -1,4 +1,4 @@
|
|||
hedera-web (1.406.53) stable; urgency=low
|
||||
hedera-web (1.406.54) stable; urgency=low
|
||||
|
||||
* Initial Release.
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"name": "hedera-web",
|
||||
"version": "1.406.53",
|
||||
"version": "1.406.54",
|
||||
"description": "Verdnatura web page",
|
||||
"license": "GPL-3.0",
|
||||
"repository": {
|
||||
|
|
|
|||
|
|
@ -27,6 +27,8 @@ class Account {
|
|||
self::sambaSync($db, $userName, $password);
|
||||
}
|
||||
|
||||
$bcryptPassword = password_hash($password, PASSWORD_BCRYPT);
|
||||
|
||||
$userId = $db->getValue(
|
||||
'SELECT id FROM account.user WHERE `name` = #',
|
||||
[$userName]
|
||||
|
|
@ -36,8 +38,11 @@ class Account {
|
|||
[$userId, $password]
|
||||
);
|
||||
$db->query(
|
||||
'UPDATE account.user SET sync = TRUE WHERE id = #',
|
||||
[$userId]
|
||||
'UPDATE account.user SET
|
||||
sync = TRUE,
|
||||
bcryptPassword = #
|
||||
WHERE id = #',
|
||||
[$bcryptPassword, $userId]
|
||||
);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -119,12 +119,7 @@ abstract class Service {
|
|||
}
|
||||
|
||||
/**
|
||||
* Tries to retrieve user credentials from many sources such as POST,
|
||||
* SESSION or COOKIES. If $_POST['remember'] is defined the user credentials
|
||||
* are saved on the client brownser for future logins, cookies names are
|
||||
* 'vn_user' for the user name and 'vn_pass' for user password, the
|
||||
* password is encoded using base64_encode() function and should be decoded
|
||||
* using base64_decode().
|
||||
* Authenticates the user with it's credentials or token.
|
||||
*
|
||||
* return Db\Conn The database connection
|
||||
*/
|
||||
|
|
@ -132,18 +127,33 @@ abstract class Service {
|
|||
$db = $this->db;
|
||||
$anonymousUser = FALSE;
|
||||
|
||||
if (isset($_POST['user']) && isset($_POST['password'])) {
|
||||
if (isset($_POST['user']) && !empty($_POST['password'])) {
|
||||
$user = strtolower($_POST['user']);
|
||||
|
||||
try {
|
||||
$db->query('CALL account.userLogin(#, #)',
|
||||
[$user, $_POST['password']]);
|
||||
} catch (Db\Exception $e) {
|
||||
if ($e->getMessage() == 'INVALID_CREDENTIALS') {
|
||||
sleep(3);
|
||||
throw new BadLoginException();
|
||||
} else
|
||||
throw $e;
|
||||
|
||||
$passwordHash = $db->getValue(
|
||||
'SELECT bcryptPassword FROM account.user
|
||||
WHERE `name` = #',
|
||||
[$user]
|
||||
);
|
||||
|
||||
$passwordOk = !empty($passwordHash)
|
||||
&& password_verify($_POST['password'], $passwordHash);
|
||||
|
||||
// XXX: Compatibility with old MD5 passwords
|
||||
if (empty($passwordHash)) {
|
||||
$md5Password = $db->getValue(
|
||||
'SELECT `password` FROM account.user
|
||||
WHERE `name` = #',
|
||||
[$user]
|
||||
);
|
||||
|
||||
$passwordOk = !empty($md5Password)
|
||||
&& $md5Password == md5($_POST['password']);
|
||||
}
|
||||
|
||||
if (!$passwordOk) {
|
||||
// sleep(3);
|
||||
throw new BadLoginException();
|
||||
}
|
||||
} else {
|
||||
if (isset($_POST['token']) || isset($_GET['token'])) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue