From 0b862f8a4e28537092d88520ca2a314c1d0637ea Mon Sep 17 00:00:00 2001 From: Juan Ferrer Toribio Date: Tue, 2 Jul 2019 10:48:14 +0200 Subject: [PATCH] Bcrypt now is used for passwords --- debian/changelog | 2 +- package.json | 2 +- rest/core/account.php | 9 +++++++-- web/service.php | 44 ++++++++++++++++++++++++++----------------- 4 files changed, 36 insertions(+), 21 deletions(-) diff --git a/debian/changelog b/debian/changelog index 3d831632..5aa1ee03 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -hedera-web (1.406.53) stable; urgency=low +hedera-web (1.406.54) stable; urgency=low * Initial Release. diff --git a/package.json b/package.json index 90e891cc..2d6faf30 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "hedera-web", - "version": "1.406.53", + "version": "1.406.54", "description": "Verdnatura web page", "license": "GPL-3.0", "repository": { diff --git a/rest/core/account.php b/rest/core/account.php index 69992142..819cd79e 100644 --- a/rest/core/account.php +++ b/rest/core/account.php @@ -27,6 +27,8 @@ class Account { self::sambaSync($db, $userName, $password); } + $bcryptPassword = password_hash($password, PASSWORD_BCRYPT); + $userId = $db->getValue( 'SELECT id FROM account.user WHERE `name` = #', [$userName] @@ -36,8 +38,11 @@ class Account { [$userId, $password] ); $db->query( - 'UPDATE account.user SET sync = TRUE WHERE id = #', - [$userId] + 'UPDATE account.user SET + sync = TRUE, + bcryptPassword = # + WHERE id = #', + [$bcryptPassword, $userId] ); } diff --git a/web/service.php b/web/service.php index 63158958..aef926c2 100644 --- a/web/service.php +++ b/web/service.php @@ -119,12 +119,7 @@ abstract class Service { } /** - * Tries to retrieve user credentials from many sources such as POST, - * SESSION or COOKIES. If $_POST['remember'] is defined the user credentials - * are saved on the client brownser for future logins, cookies names are - * 'vn_user' for the user name and 'vn_pass' for user password, the - * password is encoded using base64_encode() function and should be decoded - * using base64_decode(). + * Authenticates the user with it's credentials or token. * * return Db\Conn The database connection */ @@ -132,18 +127,33 @@ abstract class Service { $db = $this->db; $anonymousUser = FALSE; - if (isset($_POST['user']) && isset($_POST['password'])) { + if (isset($_POST['user']) && !empty($_POST['password'])) { $user = strtolower($_POST['user']); - - try { - $db->query('CALL account.userLogin(#, #)', - [$user, $_POST['password']]); - } catch (Db\Exception $e) { - if ($e->getMessage() == 'INVALID_CREDENTIALS') { - sleep(3); - throw new BadLoginException(); - } else - throw $e; + + $passwordHash = $db->getValue( + 'SELECT bcryptPassword FROM account.user + WHERE `name` = #', + [$user] + ); + + $passwordOk = !empty($passwordHash) + && password_verify($_POST['password'], $passwordHash); + + // XXX: Compatibility with old MD5 passwords + if (empty($passwordHash)) { + $md5Password = $db->getValue( + 'SELECT `password` FROM account.user + WHERE `name` = #', + [$user] + ); + + $passwordOk = !empty($md5Password) + && $md5Password == md5($_POST['password']); + } + + if (!$passwordOk) { + // sleep(3); + throw new BadLoginException(); } } else { if (isset($_POST['token']) || isset($_GET['token'])) {