feat: migrate to bcrypt for passwords

2024-02-25 23:38:53 +01:00 · 2024-02-25 23:38:53 +01:00 · c684f3535a
commit c684f3535a
parent 2751bb2028
2 changed files with 41 additions and 9 deletions
--- a/src/classes/wishthis/User.php
+++ b/src/classes/wishthis/User.php
@ -35,10 +35,16 @@ class User
    }
    public static function passwordToHash(string $plainPassword): string
    {
        return password_hash($plainPassword, PASSWORD_BCRYPT);
    }
    public static function passwordToOldHash(string $plainPassword): string
    {
        return sha1($plainPassword);
    }
    public static function getCurrent(): self
    {
        if (!isset($_SESSION['user'])) {
@ -363,6 +369,22 @@ class User
            ?: $this->email;
    }
    public function updatePasswordHash(string $password, string $email): string {
        global $database;
        $passwordHash = User::passwordToHash($password);
        $database->query(
            'UPDATE `users`
                SET `password` = :password_hash
            WHERE `email` = :user_email',
            [
                "user_email" => $email,
                "password_hash" => $passwordHash
            ]
            );
        return $passwordHash;
    }
    /**
     * Attempts to log in the user. Return whether it was successful or not.
     *
@ -392,11 +414,9 @@ class User
        ->query(
            'SELECT *
               FROM `users`
-              WHERE `email`      = :user_email
+              WHERE `email`      = :user_email',
                AND `password`   = :user_password;',
            [
-                'user_email'    => $email,
+                'user_email'    => $email
                'user_password' => $password,
            ]
        )
        ->fetch(\PDO::FETCH_ASSOC);
@ -409,6 +429,20 @@ class User
            return false;
        }
        $passwordHash = User::passwordToOldHash($password);
        if ($passwordHash === $user_database_fields["password"]) {
            $passwordHash = User::updatePasswordHash($password, $email);
        } else {
            $passwordHash = $user_database_fields["password"];
        }
        $password_matches = password_verify($password, $passwordHash);
        if(!$password_matches) {
            return false;
        }
        /**
         * Update the `last_login` column.
         */
@ -416,11 +450,9 @@ class User
        ->query(
            'UPDATE `users`
                SET `last_login` = NOW()
-              WHERE `email`      = :user_email
+              WHERE `email`      = :user_email',
                AND `password`   = :user_password;',
            [
-                'user_email'    => $email,
+                'user_email'    => $email
                'user_password' => $password,
            ]
        );
        $user_database_fields['last_login'] = date('Y-m-d H:i');
--- a/src/pages/login.php
+++ b/src/pages/login.php
@ -15,7 +15,7 @@ $page = new Page(__FILE__, __('Login'));
 */
 if (isset($_POST['login'], $_POST['email'], $_POST['password'])) {
    $user_email            = \filter_input(\INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);
-    $user_password         = User::passwordToHash($_POST['password']);
+    $user_password         = $_POST['password'];
    $userLoginIsPersistent = isset($_POST['persistent']);
    $user->login($user_email, $user_password, $userLoginIsPersistent);