[5.7] Remove Hash::check() for password verification

src/Illuminate/Auth/DatabaseUserProvider.php

@@ -152,8 +152,14 @@ protected function getGenericUser($user)
      */
     public function validateCredentials(UserContract $user, array $credentials)
     {
-        return $this->hasher->check(
-            $credentials['password'], $user->getAuthPassword()
+        $hashed = $user->getAuthPassword();
+
+        if (strlen($hashed) === 0) {
+            return false;
+        }
+
+        return password_verify(
+            $credentials['password'], $hashed
         );
     }
 }

src/Illuminate/Auth/EloquentUserProvider.php

@@ -138,8 +138,13 @@ public function retrieveByCredentials(array $credentials)
     public function validateCredentials(UserContract $user, array $credentials)
     {
         $plain = $credentials['password'];
+        $hashed = $user->getAuthPassword();
 
-        return $this->hasher->check($plain, $user->getAuthPassword());
+        if (strlen($hashed) === 0) {
+            return false;
+        }
+
+        return password_verify($plain, $hashed);
     }
 
     /**

tests/Auth/AuthDatabaseUserProviderTest.php

@@ -115,11 +115,22 @@ public function testCredentialValidation()
     {
         $conn = m::mock('Illuminate\Database\Connection');
         $hasher = m::mock('Illuminate\Contracts\Hashing\Hasher');
-        $hasher->shouldReceive('check')->once()->with('plain', 'hash')->andReturn(true);
         $provider = new DatabaseUserProvider($conn, $hasher, 'foo');
         $user = m::mock('Illuminate\Contracts\Auth\Authenticatable');
-        $user->shouldReceive('getAuthPassword')->once()->andReturn('hash');
-        $result = $provider->validateCredentials($user, ['password' => 'plain']);
+        $user->shouldReceive('getAuthPassword')->once()->andReturn('$2y$10$TKh8H1.PfQx37YgCzwiKb.KjNyWgaHb9cbcoQgdIVFlYg7B77UdFm');
+        $result = $provider->validateCredentials($user, ['password' => 'secret']);
+
+        $this->assertTrue($result);
+    }
+
+    public function testCredentialValidationUsingUnknownAlgorithm()
+    {
+        $conn = m::mock('Illuminate\Database\Connection');
+        $hasher = m::mock('Illuminate\Contracts\Hashing\Hasher');
+        $provider = new DatabaseUserProvider($conn, $hasher, 'foo');
+        $user = m::mock('Illuminate\Contracts\Auth\Authenticatable');
+        $user->shouldReceive('getAuthPassword')->once()->andReturn('$1$0590adc6$WVAjBIam8sJCgDieJGLey0');
+        $result = $provider->validateCredentials($user, ['password' => 's3cr3t']);
 
         $this->assertTrue($result);
     }

tests/Auth/AuthEloquentUserProviderTest.php

@@ -90,11 +90,22 @@ public function testCredentialValidation()
     {
         $conn = m::mock('Illuminate\Database\Connection');
         $hasher = m::mock('Illuminate\Contracts\Hashing\Hasher');
-        $hasher->shouldReceive('check')->once()->with('plain', 'hash')->andReturn(true);
         $provider = new EloquentUserProvider($hasher, 'foo');
         $user = m::mock('Illuminate\Contracts\Auth\Authenticatable');
-        $user->shouldReceive('getAuthPassword')->once()->andReturn('hash');
-        $result = $provider->validateCredentials($user, ['password' => 'plain']);
+        $user->shouldReceive('getAuthPassword')->once()->andReturn('$2y$10$TKh8H1.PfQx37YgCzwiKb.KjNyWgaHb9cbcoQgdIVFlYg7B77UdFm');
+        $result = $provider->validateCredentials($user, ['password' => 'secret']);
+
+        $this->assertTrue($result);
+    }
+
+    public function testCredentialValidationUsingUnknownAlgorithm()
+    {
+        $conn = m::mock('Illuminate\Database\Connection');
+        $hasher = m::mock('Illuminate\Contracts\Hashing\Hasher');
+        $provider = new EloquentUserProvider($hasher, 'foo');
+        $user = m::mock('Illuminate\Contracts\Auth\Authenticatable');
+        $user->shouldReceive('getAuthPassword')->once()->andReturn('$1$0590adc6$WVAjBIam8sJCgDieJGLey0');
+        $result = $provider->validateCredentials($user, ['password' => 's3cr3t']);
 
         $this->assertTrue($result);
     }