feat: migrate to bcrypt for passwords

This commit is contained in:
Niklas Bittner 2024-02-25 23:38:53 +01:00 committed by Jay Trees
parent 2751bb2028
commit c684f3535a
2 changed files with 41 additions and 9 deletions

View file

@ -35,10 +35,16 @@ class User
}
public static function passwordToHash(string $plainPassword): string
{
return password_hash($plainPassword, PASSWORD_BCRYPT);
}
public static function passwordToOldHash(string $plainPassword): string
{
return sha1($plainPassword);
}
public static function getCurrent(): self
{
if (!isset($_SESSION['user'])) {
@ -363,6 +369,22 @@ class User
?: $this->email;
}
public function updatePasswordHash(string $password, string $email): string {
global $database;
$passwordHash = User::passwordToHash($password);
$database->query(
'UPDATE `users`
SET `password` = :password_hash
WHERE `email` = :user_email',
[
"user_email" => $email,
"password_hash" => $passwordHash
]
);
return $passwordHash;
}
/**
* Attempts to log in the user. Return whether it was successful or not.
*
@ -392,11 +414,9 @@ class User
->query(
'SELECT *
FROM `users`
WHERE `email` = :user_email
AND `password` = :user_password;',
WHERE `email` = :user_email',
[
'user_email' => $email,
'user_password' => $password,
'user_email' => $email
]
)
->fetch(\PDO::FETCH_ASSOC);
@ -409,6 +429,20 @@ class User
return false;
}
$passwordHash = User::passwordToOldHash($password);
if ($passwordHash === $user_database_fields["password"]) {
$passwordHash = User::updatePasswordHash($password, $email);
} else {
$passwordHash = $user_database_fields["password"];
}
$password_matches = password_verify($password, $passwordHash);
if(!$password_matches) {
return false;
}
/**
* Update the `last_login` column.
*/
@ -416,11 +450,9 @@ class User
->query(
'UPDATE `users`
SET `last_login` = NOW()
WHERE `email` = :user_email
AND `password` = :user_password;',
WHERE `email` = :user_email',
[
'user_email' => $email,
'user_password' => $password,
'user_email' => $email
]
);
$user_database_fields['last_login'] = date('Y-m-d H:i');

View file

@ -15,7 +15,7 @@ $page = new Page(__FILE__, __('Login'));
*/
if (isset($_POST['login'], $_POST['email'], $_POST['password'])) {
$user_email = \filter_input(\INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);
$user_password = User::passwordToHash($_POST['password']);
$user_password = $_POST['password'];
$userLoginIsPersistent = isset($_POST['persistent']);
$user->login($user_email, $user_password, $userLoginIsPersistent);