forked from verdnatura/hedera-web
Bcrypt now is used for passwords
This commit is contained in:
parent
235121a637
commit
0b862f8a4e
|
|
@ -1,4 +1,4 @@
|
||||||
hedera-web (1.406.53) stable; urgency=low
|
hedera-web (1.406.54) stable; urgency=low
|
||||||
|
|
||||||
* Initial Release.
|
* Initial Release.
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
{
|
{
|
||||||
"name": "hedera-web",
|
"name": "hedera-web",
|
||||||
"version": "1.406.53",
|
"version": "1.406.54",
|
||||||
"description": "Verdnatura web page",
|
"description": "Verdnatura web page",
|
||||||
"license": "GPL-3.0",
|
"license": "GPL-3.0",
|
||||||
"repository": {
|
"repository": {
|
||||||
|
|
|
||||||
|
|
@ -27,6 +27,8 @@ class Account {
|
||||||
self::sambaSync($db, $userName, $password);
|
self::sambaSync($db, $userName, $password);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$bcryptPassword = password_hash($password, PASSWORD_BCRYPT);
|
||||||
|
|
||||||
$userId = $db->getValue(
|
$userId = $db->getValue(
|
||||||
'SELECT id FROM account.user WHERE `name` = #',
|
'SELECT id FROM account.user WHERE `name` = #',
|
||||||
[$userName]
|
[$userName]
|
||||||
|
|
@ -36,8 +38,11 @@ class Account {
|
||||||
[$userId, $password]
|
[$userId, $password]
|
||||||
);
|
);
|
||||||
$db->query(
|
$db->query(
|
||||||
'UPDATE account.user SET sync = TRUE WHERE id = #',
|
'UPDATE account.user SET
|
||||||
[$userId]
|
sync = TRUE,
|
||||||
|
bcryptPassword = #
|
||||||
|
WHERE id = #',
|
||||||
|
[$bcryptPassword, $userId]
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -119,12 +119,7 @@ abstract class Service {
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Tries to retrieve user credentials from many sources such as POST,
|
* Authenticates the user with it's credentials or token.
|
||||||
* SESSION or COOKIES. If $_POST['remember'] is defined the user credentials
|
|
||||||
* are saved on the client brownser for future logins, cookies names are
|
|
||||||
* 'vn_user' for the user name and 'vn_pass' for user password, the
|
|
||||||
* password is encoded using base64_encode() function and should be decoded
|
|
||||||
* using base64_decode().
|
|
||||||
*
|
*
|
||||||
* return Db\Conn The database connection
|
* return Db\Conn The database connection
|
||||||
*/
|
*/
|
||||||
|
|
@ -132,18 +127,33 @@ abstract class Service {
|
||||||
$db = $this->db;
|
$db = $this->db;
|
||||||
$anonymousUser = FALSE;
|
$anonymousUser = FALSE;
|
||||||
|
|
||||||
if (isset($_POST['user']) && isset($_POST['password'])) {
|
if (isset($_POST['user']) && !empty($_POST['password'])) {
|
||||||
$user = strtolower($_POST['user']);
|
$user = strtolower($_POST['user']);
|
||||||
|
|
||||||
try {
|
$passwordHash = $db->getValue(
|
||||||
$db->query('CALL account.userLogin(#, #)',
|
'SELECT bcryptPassword FROM account.user
|
||||||
[$user, $_POST['password']]);
|
WHERE `name` = #',
|
||||||
} catch (Db\Exception $e) {
|
[$user]
|
||||||
if ($e->getMessage() == 'INVALID_CREDENTIALS') {
|
);
|
||||||
sleep(3);
|
|
||||||
|
$passwordOk = !empty($passwordHash)
|
||||||
|
&& password_verify($_POST['password'], $passwordHash);
|
||||||
|
|
||||||
|
// XXX: Compatibility with old MD5 passwords
|
||||||
|
if (empty($passwordHash)) {
|
||||||
|
$md5Password = $db->getValue(
|
||||||
|
'SELECT `password` FROM account.user
|
||||||
|
WHERE `name` = #',
|
||||||
|
[$user]
|
||||||
|
);
|
||||||
|
|
||||||
|
$passwordOk = !empty($md5Password)
|
||||||
|
&& $md5Password == md5($_POST['password']);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!$passwordOk) {
|
||||||
|
// sleep(3);
|
||||||
throw new BadLoginException();
|
throw new BadLoginException();
|
||||||
} else
|
|
||||||
throw $e;
|
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if (isset($_POST['token']) || isset($_GET['token'])) {
|
if (isset($_POST['token']) || isset($_GET['token'])) {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue