Skip to content

Password column must suport SHA256|SALT style password storage. #52

Closed
jaw-sh opened this Issue Jun 9, 2015 · 1 comment

1 participant

@jaw-sh
jaw-sh commented Jun 9, 2015

If a password is the length of SHA256 + 1 + 32, then the pass algorithm needs to be different.

If the password is the length of 60, then use BCRYPT comparison.

@jaw-sh jaw-sh added the enhancement label Jun 9, 2015
@jaw-sh jaw-sh self-assigned this Jun 9, 2015
@jaw-sh jaw-sh added this to the Milestone 2 milestone Jun 9, 2015
@jaw-sh jaw-sh added a commit that referenced this issue Jun 12, 2015
@jaw-sh jaw-sh #52 Added legacy password support. b15958e
@jaw-sh jaw-sh added a commit that referenced this issue Jun 12, 2015
@jaw-sh jaw-sh #52 Added legacy password support. f93c109
@jaw-sh
jaw-sh commented Jun 12, 2015

The legacy password support is a bit different than the ticket describes.

user.password works as normal, but is now nullable.
user.password_legacy is a nullable mediumText field that is built to store JSON encoded arrays with information about non-standard authentication keys.

Laravel has a built-in way of dealing with password encryption upgrades that runs off how PHP does it, but for old encryption methods it needs legacy keys.

Right now there is only one legacy item and it looks like this.

{
    'hasher'  : "Vichan",
    'hash'     : "3eb2ab8ecbc61500797c5a4e5cb695ec6e0daf106f25c7b7e817a9fe1e138765",
    'options' : {
        'salt' : "645543a56f8689599b5653bc1f7df8cc"
    }
}

This instructs the new EloquentUserProvider to load \App\Services\Hasher\VichanHasher instead of \Illuminate\Hasher\BcryptHasher for dealing with the information. This model is preloaded with the property salt, as defined, and given the input plaintext password. The VichanHasher then uses the unique methodology that Vichan uses to generate a hash and compares it to the hash key.

If it all checks out, then the password_legacy is cleared and the password is properly bcrypted into password.

This can be setup to handle any sort of password authentication.

@jaw-sh jaw-sh closed this Jun 12, 2015
@jaw-sh jaw-sh added a commit that referenced this issue Jun 12, 2015
@jaw-sh jaw-sh #52 Missing files. a102955
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.