feat: migrate to bcrypt for passwords

This commit is contained in:
Niklas Bittner 2024-02-25 23:38:53 +01:00 committed by Jay Trees
parent 2751bb2028
commit c684f3535a
2 changed files with 41 additions and 9 deletions

View file

@ -35,10 +35,16 @@ class User
} }
public static function passwordToHash(string $plainPassword): string public static function passwordToHash(string $plainPassword): string
{
return password_hash($plainPassword, PASSWORD_BCRYPT);
}
public static function passwordToOldHash(string $plainPassword): string
{ {
return sha1($plainPassword); return sha1($plainPassword);
} }
public static function getCurrent(): self public static function getCurrent(): self
{ {
if (!isset($_SESSION['user'])) { if (!isset($_SESSION['user'])) {
@ -363,6 +369,22 @@ class User
?: $this->email; ?: $this->email;
} }
public function updatePasswordHash(string $password, string $email): string {
global $database;
$passwordHash = User::passwordToHash($password);
$database->query(
'UPDATE `users`
SET `password` = :password_hash
WHERE `email` = :user_email',
[
"user_email" => $email,
"password_hash" => $passwordHash
]
);
return $passwordHash;
}
/** /**
* Attempts to log in the user. Return whether it was successful or not. * Attempts to log in the user. Return whether it was successful or not.
* *
@ -392,11 +414,9 @@ class User
->query( ->query(
'SELECT * 'SELECT *
FROM `users` FROM `users`
WHERE `email` = :user_email WHERE `email` = :user_email',
AND `password` = :user_password;',
[ [
'user_email' => $email, 'user_email' => $email
'user_password' => $password,
] ]
) )
->fetch(\PDO::FETCH_ASSOC); ->fetch(\PDO::FETCH_ASSOC);
@ -409,6 +429,20 @@ class User
return false; return false;
} }
$passwordHash = User::passwordToOldHash($password);
if ($passwordHash === $user_database_fields["password"]) {
$passwordHash = User::updatePasswordHash($password, $email);
} else {
$passwordHash = $user_database_fields["password"];
}
$password_matches = password_verify($password, $passwordHash);
if(!$password_matches) {
return false;
}
/** /**
* Update the `last_login` column. * Update the `last_login` column.
*/ */
@ -416,11 +450,9 @@ class User
->query( ->query(
'UPDATE `users` 'UPDATE `users`
SET `last_login` = NOW() SET `last_login` = NOW()
WHERE `email` = :user_email WHERE `email` = :user_email',
AND `password` = :user_password;',
[ [
'user_email' => $email, 'user_email' => $email
'user_password' => $password,
] ]
); );
$user_database_fields['last_login'] = date('Y-m-d H:i'); $user_database_fields['last_login'] = date('Y-m-d H:i');

View file

@ -15,7 +15,7 @@ $page = new Page(__FILE__, __('Login'));
*/ */
if (isset($_POST['login'], $_POST['email'], $_POST['password'])) { if (isset($_POST['login'], $_POST['email'], $_POST['password'])) {
$user_email = \filter_input(\INPUT_POST, 'email', FILTER_SANITIZE_EMAIL); $user_email = \filter_input(\INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);
$user_password = User::passwordToHash($_POST['password']); $user_password = $_POST['password'];
$userLoginIsPersistent = isset($_POST['persistent']); $userLoginIsPersistent = isset($_POST['persistent']);
$user->login($user_email, $user_password, $userLoginIsPersistent); $user->login($user_email, $user_password, $userLoginIsPersistent);