CakePHP 3.0 Authentication

[archanavhire]

I am able to add user but still Auth login is not working.
link of gist is following
https://gist.github.com/archanavhire/1460ebc16a7510d8d589

[lorenzo]

what is not working exactly? Password hasher were recently changed in 3.0, you may want to take a look at the auth tutorial again and perhaps manually reset passwords for your current database if it is an option for you. In the future, please open tickets in cakephp/cakephp

[archanavhire]

I am not able to login after submit on login button, always going in else part.
I am giving right username and password.please look in to my auth login code.
I followed all steps for authentication.
https://gist.github.com/archanavhire/1460ebc16a7510d8d589

[lorenzo]

Can you debug if the hashed password match? Go into the BaseAuthenticate class and debug the hashed password value and compared to the one in the database

[archanavhire]

I found the bug, which is in FormAuthenticate class. _checkFields of FormAuthenticate class return false because of username field(In my form it is email). but I already mention in app controller for email field instead of username.
Still not able to fix this bug.

[ADmad]

The problem was in your config

$this->Auth->config('authenticate', ['Form'=>['username'=>'email','password'=>'password']]);

you are missing the fields key. It should be

$this->Auth->config('authenticate', ['Form'=>['fields' =>['username'=>'email','password'=>'password']]]);

[archanavhire]

problem is in $this->passwordHasher()->check($password, $result[$fields['password']]) function which is in BaseAuthenticate class.
function is returning false even if I got result array.

[lorenzo]

Can you go into the hasher code and compare what it produces versus what you have stored in the database?

[archanavhire]

Yes I did it and I found record in database. It is also returning result in $result variable.
But after that its again checking passwordHasher which is returning false.

[lorenzo]

you're still not answering my question, how does the password stored in your database compare to what the password hasher is producing?

[archanavhire]

I stored password in blowfish hash code which is 50 char.
App\Model\Entity\User.php

hash($password); } } ?>

[lorenzo]

can you paste here the password stored in your database and the one that is checked in the password hasher class?

[archanavhire]

In database :
$2y$10$6dab8w1rJ0RP411hkl.B8OBwzwaK0ZgnZoR7/XjmBPo
in result variable:
[password] => $2y$10$6dab8w1rJ0RP411hkl.B8OBwzwaK0ZgnZoR7/XjmBPo

[archanavhire]

ok, I got it.
In $this->passwordHasher()->check($password, $result[$fields['password']]) function
$password is in simple text and $result[$fields['password']] is hashed so that its returning false.

[lorenzo]

Both passwords are the same, how come the password checker returns false then? Can you help us debug that?

[lorenzo]

If you are using the laters CakePHP 3.0, please use SimplePasswordHasher instead of Blowfish

[archanavhire]

As you suggested me, I switched from Blowfish to SimplePasswordHasher. But still authentication is not working because password is not matching.following code returning false.
password_verify($password, $hashedPassword);

password return by hasher :
'$2y$10$dDcxwWtDJVYnRfNX.wIBJuQdokyX65ZpaQCcqvQSQOiGH7yf7HMAG'
password in my db:
'$2y$10$HJ9urHeVBzXezb0Hh13AJeU3PquK2f4yLIrl9bHNVWl'

My updated gist link is:
https://gist.github.com/archanavhire/842266d5953c0df413f2

[markstory]

You DB column is probably too short, bcrypt hashes are much longer than sha1's. If you are using a fixed length column they will be truncated.

[archanavhire]

Thank you very much. Now its working.
:)