feat: migrate to bcrypt for passwords

2024-02-25 23:38:53 +01:00 · 2024-02-25 23:38:53 +01:00 · c684f3535a
commit c684f3535a
parent 2751bb2028
2 changed files with 41 additions and 9 deletions
--- a/src/classes/wishthis/User.php
+++ b/src/classes/wishthis/User.php
@ -35,10 +35,16 @@ class User
    }

    public static function passwordToHash(string $plainPassword): string
+    {
+        return password_hash($plainPassword, PASSWORD_BCRYPT);
+    }
+
+    public static function passwordToOldHash(string $plainPassword): string
    {
        return sha1($plainPassword);
    }

+
    public static function getCurrent(): self
    {
        if (!isset($_SESSION['user'])) {
@ -363,6 +369,22 @@ class User
            ?: $this->email;
    }

+    public function updatePasswordHash(string $password, string $email): string {
+        global $database;
+        $passwordHash = User::passwordToHash($password);
+
+        $database->query(
+            'UPDATE `users`
+                SET `password` = :password_hash
+            WHERE `email` = :user_email',
+            [
+                "user_email" => $email,
+                "password_hash" => $passwordHash
+            ]
+            );
+        return $passwordHash;
+    }
+
    /**
     * Attempts to log in the user. Return whether it was successful or not.
     *
@ -392,11 +414,9 @@ class User
        ->query(
            'SELECT *
               FROM `users`
-              WHERE `email`      = :user_email
-                AND `password`   = :user_password;',
+              WHERE `email`      = :user_email',
            [
-                'user_email'    => $email,
-                'user_password' => $password,
+                'user_email'    => $email
            ]
        )
        ->fetch(\PDO::FETCH_ASSOC);
@ -409,6 +429,20 @@ class User
            return false;
        }

+        $passwordHash = User::passwordToOldHash($password);
+
+        if ($passwordHash === $user_database_fields["password"]) {
+            $passwordHash = User::updatePasswordHash($password, $email);
+        } else {
+            $passwordHash = $user_database_fields["password"];
+        }
+
+        $password_matches = password_verify($password, $passwordHash);
+
+        if(!$password_matches) {
+            return false;
+        }
+
        /**
         * Update the `last_login` column.
         */
@ -416,11 +450,9 @@ class User
        ->query(
            'UPDATE `users`
                SET `last_login` = NOW()
-              WHERE `email`      = :user_email
-                AND `password`   = :user_password;',
+              WHERE `email`      = :user_email',
            [
-                'user_email'    => $email,
-                'user_password' => $password,
+                'user_email'    => $email
            ]
        );
        $user_database_fields['last_login'] = date('Y-m-d H:i');
--- a/src/pages/login.php
+++ b/src/pages/login.php
@ -15,7 +15,7 @@ $page = new Page(__FILE__, __('Login'));
 */
 if (isset($_POST['login'], $_POST['email'], $_POST['password'])) {
    $user_email            = \filter_input(\INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);
-    $user_password         = User::passwordToHash($_POST['password']);
+    $user_password         = $_POST['password'];
    $userLoginIsPersistent = isset($_POST['persistent']);

    $user->login($user_email, $user_password, $userLoginIsPersistent);