Bcrypt now is used for passwords

This commit is contained in:
Juan Ferrer 2019-07-02 10:48:14 +02:00
parent 235121a637
commit 0b862f8a4e
4 changed files with 36 additions and 21 deletions

2
debian/changelog vendored
View File

@ -1,4 +1,4 @@
hedera-web (1.406.53) stable; urgency=low
hedera-web (1.406.54) stable; urgency=low
* Initial Release.

View File

@ -1,6 +1,6 @@
{
"name": "hedera-web",
"version": "1.406.53",
"version": "1.406.54",
"description": "Verdnatura web page",
"license": "GPL-3.0",
"repository": {

View File

@ -27,6 +27,8 @@ class Account {
self::sambaSync($db, $userName, $password);
}
$bcryptPassword = password_hash($password, PASSWORD_BCRYPT);
$userId = $db->getValue(
'SELECT id FROM account.user WHERE `name` = #',
[$userName]
@ -36,8 +38,11 @@ class Account {
[$userId, $password]
);
$db->query(
'UPDATE account.user SET sync = TRUE WHERE id = #',
[$userId]
'UPDATE account.user SET
sync = TRUE,
bcryptPassword = #
WHERE id = #',
[$bcryptPassword, $userId]
);
}

View File

@ -119,12 +119,7 @@ abstract class Service {
}
/**
* Tries to retrieve user credentials from many sources such as POST,
* SESSION or COOKIES. If $_POST['remember'] is defined the user credentials
* are saved on the client brownser for future logins, cookies names are
* 'vn_user' for the user name and 'vn_pass' for user password, the
* password is encoded using base64_encode() function and should be decoded
* using base64_decode().
* Authenticates the user with it's credentials or token.
*
* return Db\Conn The database connection
*/
@ -132,18 +127,33 @@ abstract class Service {
$db = $this->db;
$anonymousUser = FALSE;
if (isset($_POST['user']) && isset($_POST['password'])) {
if (isset($_POST['user']) && !empty($_POST['password'])) {
$user = strtolower($_POST['user']);
try {
$db->query('CALL account.userLogin(#, #)',
[$user, $_POST['password']]);
} catch (Db\Exception $e) {
if ($e->getMessage() == 'INVALID_CREDENTIALS') {
sleep(3);
$passwordHash = $db->getValue(
'SELECT bcryptPassword FROM account.user
WHERE `name` = #',
[$user]
);
$passwordOk = !empty($passwordHash)
&& password_verify($_POST['password'], $passwordHash);
// XXX: Compatibility with old MD5 passwords
if (empty($passwordHash)) {
$md5Password = $db->getValue(
'SELECT `password` FROM account.user
WHERE `name` = #',
[$user]
);
$passwordOk = !empty($md5Password)
&& $md5Password == md5($_POST['password']);
}
if (!$passwordOk) {
// sleep(3);
throw new BadLoginException();
} else
throw $e;
}
} else {
if (isset($_POST['token']) || isset($_GET['token'])) {