New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor password handling #77
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
for older php versions, use ircmaxell/password-compat library
simple "passwords do not match" is ui logic. also seems password mismatch error code was not even handled.
there's another method in Auth::updatePassword, which uses auth backends
use Auth::updatePassword to update password
more clearer this way that it is user password
this is to avoid writing empty passwords to database
http://php.net/manual/en/function.password-hash.php PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0). Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason, the length of the result from using this identifier can change over time. Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).
this is ready for merge |
glensc
added a commit
that referenced
this pull request
Oct 19, 2015
glensc
added a commit
that referenced
this pull request
Oct 19, 2015
you should never index password column, i.e make select where password (or even hash of it) is in WHERE statement. should always compare it client side.
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
uses password_hash family functions by default.
compatibility library for older php versions is included
new passwords are set using new algorithm, existing hashes will be verified using old methods.
auto migration of hash on successful login and hash upgrade can be added in later releases.
also added old password prompt when changing password and trivial check such as new and old passwords differ (auth backend said
false
anyway for such password change)also includes sql patch to clear password for accounts where empty password was stored for whatever reason.