Re-implementing SimplePasswordHasher to use the more secure

password_hash function Also requiring a compatible php library for password_hash for users on version < 5.5
cakephp · Jun 3, 2014 · 0656ed8 · 0656ed8 · sitedyno · Jun 5, 2014
1 parent d029a72
commit 0656ed8
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 4 deletions.
diff --git a/composer.json b/composer.json
@@ -22,7 +22,8 @@
 		"ext-intl": "*",
 		"ext-mcrypt": "*",
 		"ext-mbstring": "*",
-		"nesbot/Carbon": "1.8.*"
+		"nesbot/Carbon": "1.8.*",
+		"ircmaxell/password-compat": "1.0.*"
 	},
 	"require-dev": {
 		"phpunit/phpunit": "*"

diff --git a/src/Controller/Component/Auth/AbstractPasswordHasher.php b/src/Controller/Component/Auth/AbstractPasswordHasher.php
@@ -61,4 +61,19 @@ abstract public function hash($password);
  */
 	abstract public function check($password, $hashedPassword);
 
+/**
+ * Returns true if the password need to be rehashed, due to the password being
+ * created with anything else than the passwords generated by this class.
+ *
+ * Returns true by default since the only implementation users should rely
+ * on is the one provided by default in php 5.5+ or any compatible library
+ *
+ * @param string $password The password to verify
+ * @param mixed $hashType the algorithm used to hash the password
+ * @return boolean
+ */
+	public function needsRehash($password, $hashType) {
+		return true;
+	}
+
 }
diff --git a/src/Controller/Component/Auth/SimplePasswordHasher.php b/src/Controller/Component/Auth/SimplePasswordHasher.php
@@ -29,7 +29,7 @@ class SimplePasswordHasher extends AbstractPasswordHasher {
  * @var array
  */
 	protected $_defaultConfig = [
-		'hashType' => null
+		'hashType' => PASSWORD_DEFAULT
 	];
 
 /**
@@ -40,7 +40,7 @@ class SimplePasswordHasher extends AbstractPasswordHasher {
  * @link http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#hashing-passwords
  */
 	public function hash($password) {
-		return Security::hash($password, $this->_config['hashType'], true);
+		return password_hash($password, $this->_config['hash']);
 	}
 
 /**
@@ -51,7 +51,22 @@ public function hash($password) {
  * @return bool True if hashes match else false.
  */
 	public function check($password, $hashedPassword) {
-		return $hashedPassword === $this->hash($password);
+		return password_verify($password, $hashedPassword);
+	}
+
+/**
+ * Returns true if the password need to be rehashed, due to the password being
+ * created with anything else than the passwords generated by this class.
+ *
+ * Returns true by default since the only implementation users should rely
+ * on is the one provided by default in php 5.5+ or any compatible library
+ *
+ * @param string $password The password to verify
+ * @param mixed $hashType the algorithm used to hash the password
+ * @return boolean
+ */
+	public function needsRehash($password, $hashType) {
+		return password_needs_rehash($password, $hashType);
 	}
 
 }