From bd05d77afe9babaf001207412bdc7c8f02f0cce3 Mon Sep 17 00:00:00 2001 From: Deon George Date: Thu, 1 Sep 2016 20:55:15 +1000 Subject: [PATCH] Convert password during login to new secure hash --- classes/lnAuth/Auth/ORM.php | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/classes/lnAuth/Auth/ORM.php b/classes/lnAuth/Auth/ORM.php index 2a00081..ee33885 100644 --- a/classes/lnAuth/Auth/ORM.php +++ b/classes/lnAuth/Auth/ORM.php @@ -96,12 +96,29 @@ abstract class lnAuth_Auth_ORM extends lnApp_Auth_ORM { return FALSE; } - // Create a hashed password - if (is_string($password)) - $password = $this->hash($password); + // Convert user password to new hash method + if (is_string($password) AND ! password_verify($password,$user->password) AND ! in_array($this->_config['hash_method'],['md5','sha1'])) { + // Was MD5 + if ( + (md5($password) == $user->password) OR + (sha1($password) == $user->password) + ) { + // It will be re-hased by ORM + $user->password = $password; + + if (! $user->save()) + throw HTTP_Exception::factory(501,'Error converting password for :user',array(':user'=>$user->name())); + else { + SystemMessage::factory() + ->title('Password Update') + ->type('info') + ->body('Your password was updated to a more secure algorithm'); + } + } + } // If the passwords match, perform a login - if ($user->active AND $user->has_any('group',ORM::factory('Group',array('name'=>'Registered Users'))->list_childgrps(TRUE)) AND $user->password === $password) { + if ($user->active AND $user->has_any('group',ORM::factory('Group',array('name'=>'Registered Users'))->list_childgrps(TRUE)) AND password_verify($password,$user->password)) { // @todo This is not currently used. if ($remember === TRUE) {