BCrypt/PHP's password_hash support

- added config var `use_password_hash` - added config var `password_hash_algo` - added config var `password_hash_options` - added `verify_password()` - changed `login()` (changed pass check with new the function, added a little skip for pass recreation if password_hash is active) - changed `hash_password()` - added `sql/Aauth_v2_BCrypt.sql` with a working password if BCrypt is active
emreakay · May 14, 2016 · bd33c95 · bd33c95
1 parent e4aa1f5
commit bd33c95
Show file tree

Hide file tree

Showing 3 changed files with 211 additions and 8 deletions.
diff --git a/application/config/aauth.php b/application/config/aauth.php
@@ -68,6 +68,9 @@
 |
 |	['hash']							Name of selected hashing algorithm (e.g. "md5", "sha256", "haval160,4", etc..)
 |										Please, run hash_algos() for know your all supported algorithms
+| 	['use_password_hash']               True to use PHP's own password_hash() function with BCrypt, needs PHP5.5 or higher
+| 	['password_hash_algo']              password_hash algorithm ("PASSWORD_DEFAULT", "PASSWORD_BCRYPT") 
+| 	['password_hash_options']           password_hash options array for details see http://php.net/manual/en/function.password-hash.php
 |
 */
 $config_aauth = array();
@@ -125,7 +128,10 @@
 	'verification_link'              => '/account/verification/',
 	'reset_password_link'            => '/account/reset_password/',
 
-	'hash'							 =>	'sha256'
+	'hash'                           => 'sha256',
+	'use_password_hash'              => false,
+	'password_hash_algo'             => 'PASSWORD_DEFAULT',
+	'password_hash_options'          => array()
 );
 
 $config['aauth'] = $config_aauth['default'];

diff --git a/application/libraries/Aauth.php b/application/libraries/Aauth.php
@@ -281,17 +281,16 @@ public function login($identifier, $pass, $remember = FALSE, $totp_code = NULL)
 
 		$query = null;
 		$query = $this->aauth_db->where($db_identifier, $identifier);
-
-		// Database stores pasword hashed password
-		$query = $this->aauth_db->where('pass', $this->hash_password($pass, $user_id));
 		$query = $this->aauth_db->where('banned', 0);
 
 		$query = $this->aauth_db->get($this->config_vars['users']);
 
 		$row = $query->row();
 
 		// if email and pass matches and not banned
-		if ( $query->num_rows() != 0 ) {
+		$password = ($this->config_vars['use_password_hash'] ? $pass : $this->hash_password($pass, $row->id));
+
+		if ( $query->num_rows() != 0 && $this->verify_password($password, $row->pass) ) {
 
 			// If email and pass matches
 			// create session
@@ -762,7 +761,9 @@ public function create_user($email, $pass, $name = FALSE) {
 
 			// Update to correct salted password
 			$data = null;
-			$data['pass'] = $this->hash_password($pass, $user_id);
+			if( !$this->config_vars['use_password_hash']){
+				$data['pass'] = $this->hash_password($pass, $user_id);
+			}
 			$this->aauth_db->where('id', $user_id);
 			$this->aauth_db->update($this->config_vars['users'], $data);
 
@@ -1157,9 +1158,28 @@ public function update_activity($user_id = FALSE) {
 	 * @return string Hashed password
 	 */
 	function hash_password($pass, $userid) {
+		if($this->config_vars['use_password_hash']){
+			return password_hash($pass, $this->config_vars['password_hash_algo'], $this->config_vars['password_hash_options']);
+		}else{
+			$salt = md5($userid);
+			return hash($this->config_vars['hash'], $salt.$pass);
+		}
+	}
 
-		$salt = md5($userid);
-		return hash($this->config_vars['hash'], $salt.$pass);
+	/**
+	 * Verify password
+	 * Verfies the hashed password
+	 * @param string $password Password
+	 * @param string $hash Hashed Password
+	 * @param string $user_id 
+	 * @return bool False or True
+	 */
+	function verify_password($password, $hash) {
+		if($this->config_vars['use_password_hash']){
+			return password_verify($password, $hash);
+		}else{
+			return ($password == $hash ? TRUE : FALSE);
+		}
 	}
 
 	########################

diff --git a/sql/Aauth_v2_BCrypt.sql b/sql/Aauth_v2_BCrypt.sql
@@ -0,0 +1,177 @@
+/*
+	Aauth SQL Table Structure
+*/
+
+SET FOREIGN_KEY_CHECKS=0;
+
+-- ----------------------------
+-- Table structure for `aauth_groups`
+-- ----------------------------
+DROP TABLE IF EXISTS `aauth_groups`;
+CREATE TABLE `aauth_groups` (
+  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
+  `name` varchar(100),
+  `definition` text,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8;
+
+-- ----------------------------
+-- Records of aauth_groups
+-- ----------------------------
+INSERT INTO `aauth_groups` VALUES ('1', 'Admin', 'Super Admin Group');
+INSERT INTO `aauth_groups` VALUES ('2', 'Public', 'Public Access Group');
+INSERT INTO `aauth_groups` VALUES ('3', 'Default', 'Default Access Group');
+
+-- ----------------------------
+-- Table structure for `aauth_perms`
+-- ----------------------------
+DROP TABLE IF EXISTS `aauth_perms`;
+CREATE TABLE `aauth_perms` (
+  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
+  `name` varchar(100),
+  `definition` text,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+-- ----------------------------
+-- Records of aauth_perms
+-- ----------------------------
+
+-- ----------------------------
+-- Table structure for `aauth_perm_to_group`
+-- ----------------------------
+DROP TABLE IF EXISTS `aauth_perm_to_group`;
+CREATE TABLE `aauth_perm_to_group` (
+  `perm_id` int(11) unsigned DEFAULT NULL,
+  `group_id` int(11) unsigned DEFAULT NULL,
+  PRIMARY KEY (`perm_id`,`group_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+-- ----------------------------
+-- Records of aauth_perm_to_group
+-- ----------------------------
+
+-- ----------------------------
+-- Table structure for `aauth_perm_to_user`
+-- ----------------------------
+DROP TABLE IF EXISTS `aauth_perm_to_user`;
+CREATE TABLE `aauth_perm_to_user` (
+  `perm_id` int(11) unsigned DEFAULT NULL,
+  `user_id` int(11) unsigned DEFAULT NULL,
+  PRIMARY KEY (`perm_id`,`user_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+-- ----------------------------
+-- Records of aauth_perm_to_user
+-- ----------------------------
+
+-- ----------------------------
+-- Table structure for `aauth_pms`
+-- ----------------------------
+DROP TABLE IF EXISTS `aauth_pms`;
+CREATE TABLE `aauth_pms` (
+  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
+  `sender_id` int(11) unsigned NOT NULL,
+  `receiver_id` int(11) unsigned NOT NULL,
+  `title` varchar(255) NOT NULL,
+  `message` text,
+  `date_sent` datetime DEFAULT NULL,
+  `date_read` datetime DEFAULT NULL,
+  PRIMARY KEY (`id`),
+  KEY `full_index` (`id`,`sender_id`,`receiver_id`,`date_read`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+-- ----------------------------
+-- Records of aauth_pms
+-- ----------------------------
+
+-- ----------------------------
+-- Table structure for `aauth_system_variables`
+-- ----------------------------
+DROP TABLE IF EXISTS `aauth_system_variables`;
+CREATE TABLE `aauth_system_variables` (
+  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
+  `data_key` varchar(100) NOT NULL,
+  `value` text,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+-- ----------------------------
+-- Records of aauth_system_variables
+-- ----------------------------
+
+-- ----------------------------
+-- Table structure for `aauth_users`
+-- ----------------------------
+DROP TABLE IF EXISTS `aauth_users`;
+CREATE TABLE `aauth_users` (
+  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
+  `email` varchar(100) COLLATE utf8_general_ci NOT NULL,
+  `pass` varchar(60) COLLATE utf8_general_ci NOT NULL,
+  `name` varchar(100) COLLATE utf8_general_ci,
+  `banned` tinyint(1) DEFAULT '0',
+  `last_login` datetime DEFAULT NULL,
+  `last_activity` datetime DEFAULT NULL,
+  `last_login_attempt` datetime DEFAULT NULL,
+  `forgot_exp` text COLLATE utf8_general_ci,
+  `remember_time` datetime DEFAULT NULL,
+  `remember_exp` text COLLATE utf8_general_ci,
+  `verification_code` text COLLATE utf8_general_ci,
+  `totp_secret` varchar(16) COLLATE utf8_general_ci DEFAULT NULL,
+  `ip_address` text COLLATE utf8_general_ci,
+  `login_attempts` int(11) DEFAULT '0',
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8 COLLATE=utf8_general_ci;
+
+-- ----------------------------
+-- Records of aauth_users
+-- ----------------------------
+INSERT INTO `aauth_users` VALUES ('1', 'admin@example.com', '$2y$10$h19Lblcr6amOIUL1TgYW2.VVZOhac/e1kHMgAwCubMTlYXZrL0wS2', 'Admin', '0', null, null, null, null, null, null, null, null, null, '0');
+
+-- ----------------------------
+-- Table structure for `aauth_user_to_group`
+-- ----------------------------
+DROP TABLE IF EXISTS `aauth_user_to_group`;
+CREATE TABLE `aauth_user_to_group` (
+  `user_id` int(11) unsigned NOT NULL DEFAULT '0',
+  `group_id` int(11) unsigned NOT NULL DEFAULT '0',
+  PRIMARY KEY (`user_id`,`group_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+-- ----------------------------
+-- Records of aauth_user_to_group
+-- ----------------------------
+INSERT INTO `aauth_user_to_group` VALUES ('1', '1');
+INSERT INTO `aauth_user_to_group` VALUES ('1', '3');
+
+-- ----------------------------
+-- Table structure for `aauth_user_variables`
+-- ----------------------------
+DROP TABLE IF EXISTS `aauth_user_variables`;
+CREATE TABLE `aauth_user_variables` (
+  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
+  `user_id` int(11) unsigned NOT NULL,
+  `data_key` varchar(100) NOT NULL,
+  `value` text,
+  PRIMARY KEY (`id`),
+  KEY `user_id_index` (`user_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+-- ----------------------------
+-- Records of aauth_user_variables
+-- ----------------------------
+
+-- ----------------------------
+-- Table structure for `aauth_perm_to_group`
+-- ----------------------------
+DROP TABLE IF EXISTS `aauth_group_to_group`;
+CREATE TABLE `aauth_group_to_group` (
+  `group_id` int(11) unsigned DEFAULT NULL,
+  `subgroup_id` int(11) unsigned DEFAULT NULL,
+  PRIMARY KEY (`group_id`,`subgroup_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+-- ----------------------------
+-- Records of aauth_perm_to_group
+-- ----------------------------
+