Convert password during login to new secure hash

This commit is contained in:
Deon George 2016-09-01 20:55:15 +10:00
parent 81edc432b4
commit bd05d77afe

View File

@ -96,12 +96,29 @@ abstract class lnAuth_Auth_ORM extends lnApp_Auth_ORM {
return FALSE; return FALSE;
} }
// Create a hashed password // Convert user password to new hash method
if (is_string($password)) if (is_string($password) AND ! password_verify($password,$user->password) AND ! in_array($this->_config['hash_method'],['md5','sha1'])) {
$password = $this->hash($password); // Was MD5
if (
(md5($password) == $user->password) OR
(sha1($password) == $user->password)
) {
// It will be re-hased by ORM
$user->password = $password;
if (! $user->save())
throw HTTP_Exception::factory(501,'Error converting password for :user',array(':user'=>$user->name()));
else {
SystemMessage::factory()
->title('Password Update')
->type('info')
->body('Your password was updated to a more secure algorithm');
}
}
}
// If the passwords match, perform a login // If the passwords match, perform a login
if ($user->active AND $user->has_any('group',ORM::factory('Group',array('name'=>'Registered Users'))->list_childgrps(TRUE)) AND $user->password === $password) { if ($user->active AND $user->has_any('group',ORM::factory('Group',array('name'=>'Registered Users'))->list_childgrps(TRUE)) AND password_verify($password,$user->password)) {
// @todo This is not currently used. // @todo This is not currently used.
if ($remember === TRUE) { if ($remember === TRUE) {