Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor password handling #77

Merged
merged 21 commits into from Oct 19, 2015
Merged

refactor password handling #77

merged 21 commits into from Oct 19, 2015

Conversation

glensc
Copy link
Member

@glensc glensc commented Oct 16, 2015

uses password_hash family functions by default.
compatibility library for older php versions is included

new passwords are set using new algorithm, existing hashes will be verified using old methods.
auto migration of hash on successful login and hash upgrade can be added in later releases.

also added old password prompt when changing password and trivial check such as new and old passwords differ (auth backend said false anyway for such password change)

also includes sql patch to clear password for accounts where empty password was stored for whatever reason.

@glensc
add password_hash test
48eb5e8 
for older php versions, use ircmaxell/password-compat library
@glensc
test password_get_info
923f1fe
@glensc
test password_needs_rehash
7634cfe
@glensc
move password confirmation logic out of auth class
41a9eeb 
simple "passwords do not match" is ui logic.
also seems password mismatch error code was not even handled.
@glensc
drop unused User::updatePassword
cacf836 
there's another method in Auth::updatePassword, which uses auth backends
@glensc
do not use Auth::hashPassword directly or modify usr_password field
6a441f3 
use Auth::updatePassword to update password
@glensc
change password field column size to 60
ee04579
@glensc
move hashPassword to auth backend class
aa806b8
@glensc
fix preferences page. refs 41a9eeb
ada4d71
@glensc
require current password when changing password
e3d20d2
@glensc
reset account passwords who have empty passwords
18d0a4c
@glensc
disallow setting empty password
f53e042
@glensc
move Auth::updatePassword to User::updatePassword
445ddbe 
more clearer this way that it is user password
@glensc
move password hashing methods to AuthPassword class
533e7f9
@glensc
use password_hash for password hashing, fallback to legacy methods wh…
7c1eedf 
…en verifying
@glensc
compare legacy hashes also in not leaking timing manner
f7a2bbb
@glensc
do all password verify methods in constant time
79d96a4
@glensc
hash will throw
99f7fcb 
this is to avoid writing empty passwords to database
@glensc
verify reject non-strings
10424f5
@glensc
use recommended 255 as password hash length
0f7ef19 
http://php.net/manual/en/function.password-hash.php

PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0).

Note that this constant is designed to change over time as new and
stronger algorithms are added to PHP. For that reason, the length of the
result from using this identifier can change over time. Therefore, it is
recommended to store the result in a database column that can expand
beyond 60 characters (255 characters would be a good choice).
@glensc glensc added this to the 3.0.4 milestone Oct 16, 2015
@glensc
Copy link
Member Author

glensc commented Oct 16, 2015

this is ready for merge

glensc added a commit that referenced this pull request Oct 19, 2015
@glensc
Merge pull request #77 from glensc/password_hash
08c2113 
refactor password handling
@glensc glensc merged commit 08c2113 into eventum:master Oct 19, 2015
@glensc glensc deleted the password_hash branch October 19, 2015 17:47
glensc added a commit that referenced this pull request Oct 19, 2015
@glensc
APP_HASH_TYPE constant is no longer neccessary. #77
c918b52
glensc added a commit that referenced this pull request Oct 19, 2015
@glensc
drop usr_email_password key. #77
e91e1a3 
you should never index password column, i.e make select where password
(or even hash of it) is in WHERE statement. should always compare it
client side.
@glensc glensc mentioned this pull request Nov 13, 2015
Closed
@glensc glensc mentioned this pull request Jan 16, 2019
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement
Milestone
3.0.4
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@glensc