feat: migrate to bcrypt for passwords
This commit is contained in:
parent
2751bb2028
commit
c684f3535a
2 changed files with 41 additions and 9 deletions
|
@ -35,10 +35,16 @@ class User
|
||||||
}
|
}
|
||||||
|
|
||||||
public static function passwordToHash(string $plainPassword): string
|
public static function passwordToHash(string $plainPassword): string
|
||||||
|
{
|
||||||
|
return password_hash($plainPassword, PASSWORD_BCRYPT);
|
||||||
|
}
|
||||||
|
|
||||||
|
public static function passwordToOldHash(string $plainPassword): string
|
||||||
{
|
{
|
||||||
return sha1($plainPassword);
|
return sha1($plainPassword);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
public static function getCurrent(): self
|
public static function getCurrent(): self
|
||||||
{
|
{
|
||||||
if (!isset($_SESSION['user'])) {
|
if (!isset($_SESSION['user'])) {
|
||||||
|
@ -363,6 +369,22 @@ class User
|
||||||
?: $this->email;
|
?: $this->email;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function updatePasswordHash(string $password, string $email): string {
|
||||||
|
global $database;
|
||||||
|
$passwordHash = User::passwordToHash($password);
|
||||||
|
|
||||||
|
$database->query(
|
||||||
|
'UPDATE `users`
|
||||||
|
SET `password` = :password_hash
|
||||||
|
WHERE `email` = :user_email',
|
||||||
|
[
|
||||||
|
"user_email" => $email,
|
||||||
|
"password_hash" => $passwordHash
|
||||||
|
]
|
||||||
|
);
|
||||||
|
return $passwordHash;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Attempts to log in the user. Return whether it was successful or not.
|
* Attempts to log in the user. Return whether it was successful or not.
|
||||||
*
|
*
|
||||||
|
@ -392,11 +414,9 @@ class User
|
||||||
->query(
|
->query(
|
||||||
'SELECT *
|
'SELECT *
|
||||||
FROM `users`
|
FROM `users`
|
||||||
WHERE `email` = :user_email
|
WHERE `email` = :user_email',
|
||||||
AND `password` = :user_password;',
|
|
||||||
[
|
[
|
||||||
'user_email' => $email,
|
'user_email' => $email
|
||||||
'user_password' => $password,
|
|
||||||
]
|
]
|
||||||
)
|
)
|
||||||
->fetch(\PDO::FETCH_ASSOC);
|
->fetch(\PDO::FETCH_ASSOC);
|
||||||
|
@ -409,6 +429,20 @@ class User
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$passwordHash = User::passwordToOldHash($password);
|
||||||
|
|
||||||
|
if ($passwordHash === $user_database_fields["password"]) {
|
||||||
|
$passwordHash = User::updatePasswordHash($password, $email);
|
||||||
|
} else {
|
||||||
|
$passwordHash = $user_database_fields["password"];
|
||||||
|
}
|
||||||
|
|
||||||
|
$password_matches = password_verify($password, $passwordHash);
|
||||||
|
|
||||||
|
if(!$password_matches) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Update the `last_login` column.
|
* Update the `last_login` column.
|
||||||
*/
|
*/
|
||||||
|
@ -416,11 +450,9 @@ class User
|
||||||
->query(
|
->query(
|
||||||
'UPDATE `users`
|
'UPDATE `users`
|
||||||
SET `last_login` = NOW()
|
SET `last_login` = NOW()
|
||||||
WHERE `email` = :user_email
|
WHERE `email` = :user_email',
|
||||||
AND `password` = :user_password;',
|
|
||||||
[
|
[
|
||||||
'user_email' => $email,
|
'user_email' => $email
|
||||||
'user_password' => $password,
|
|
||||||
]
|
]
|
||||||
);
|
);
|
||||||
$user_database_fields['last_login'] = date('Y-m-d H:i');
|
$user_database_fields['last_login'] = date('Y-m-d H:i');
|
||||||
|
|
|
@ -15,7 +15,7 @@ $page = new Page(__FILE__, __('Login'));
|
||||||
*/
|
*/
|
||||||
if (isset($_POST['login'], $_POST['email'], $_POST['password'])) {
|
if (isset($_POST['login'], $_POST['email'], $_POST['password'])) {
|
||||||
$user_email = \filter_input(\INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);
|
$user_email = \filter_input(\INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);
|
||||||
$user_password = User::passwordToHash($_POST['password']);
|
$user_password = $_POST['password'];
|
||||||
$userLoginIsPersistent = isset($_POST['persistent']);
|
$userLoginIsPersistent = isset($_POST['persistent']);
|
||||||
|
|
||||||
$user->login($user_email, $user_password, $userLoginIsPersistent);
|
$user->login($user_email, $user_password, $userLoginIsPersistent);
|
||||||
|
|
Loading…
Reference in a new issue