Skip to content

Commit

Permalink
just use hard-coded hash
Browse files Browse the repository at this point in the history
  • Loading branch information
@taylorotwell
taylorotwell committed Dec 20, 2017
1 parent 4bfb164 commit f693a20
Showing 1 changed file with 1 addition and 3 deletions.
4 changes: 1 addition & 3 deletions database/factories/UserFactory.php
View file
Expand Up @@ -14,12 +14,10 @@
*/

$factory->define(App\User::class, function (Faker $faker) {
static $password;

return [
'name' => $faker->name,
'email' => $faker->unique()->safeEmail,
'password' => $password ?: $password = bcrypt('secret'),
'password' => '$2y$10$TKh8H1.PfQx37YgCzwiKb.KjNyWgaHb9cbcoQgdIVFlYg7B77UdFm',
'remember_token' => str_random(10),
];
});

15 comments on commit f693a20

@mattstauffer
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🙌

@m1guelpf
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not $password ?? 'hashed-string'

@pavinthan
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@m1guelpf because there are no longer $password 😃

@crynobone
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This still uses the default 10 rounding. Would there be any different if we hard-code 4 rounding such as $2y$04$Ri4Tj1yi9EnO6EI3lS11suHnymOKbC63D85NeHHo74uk4dHe9eah2?

@MichaelDeBoey
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@crynobone I don't think that it matters how manny rounding is used, 'cause it's just a hard-coded string...
We could just use 'secret' as well I think...

@fletch3555
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can't use 'secret' since subsequent login attempts will fail. Also, the number of rounds affects run-time, albeit by a fairly small amount. It may make a difference if you're running hundreds of tests running the hashing function, but just a few tests (i.e. "create user" and "change password") shouldn't show a noticeable difference.

@Rah1x
Copy link

@Rah1x Rah1x commented on f693a20 Oct 29, 2018
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so what if we change it from secret to something else? And if so, how did you encrypt it? (so I can generate the new cipher)

@warrickbayman
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can I ask if there is a reason for the hard-coded hash and not Hash::make('secret')?

@laurencei
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@warrickbayman - yes, because this gets run everytime on most tests (that use seeders). Having a hard-coded hash drastically improves your test speeds.

@laurencei
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Rah1x - you can do

'password' => $password ?: $password = bcrypt('your-password-here'),

If you want to generate it yourself to be hardcoded (recommended for speed) - just run dd(bcrypt('your-password-here')); somewhere and save the string output to here.

@ludo237
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if the user model has something like

    public function setPasswordAttribute(string $value) : void
    {
        $this->attributes["password"] = bcrypt($value);
    }

@antonkomarev
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ludo237 then you should make changes in your UserFactory.

@Rah1x
Copy link

@Rah1x Rah1x commented on f693a20 Oct 30, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Rah1x - you can do

'password' => $password ?: $password = bcrypt('your-password-here'),

If you want to generate it yourself to be hardcoded (recommended for speed) - just run dd(bcrypt('your-password-here')); somewhere and save the string output to here.

perfect / thanks

Also, can you tell me why are we even using it to begin with? I mean its the same password for everyone whats the point?

@gpressutto5
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Won't the hash change when the APP_KEY changes?

@driesvints
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gpressutto5 APP_KEY isn't used for hashing, only for encrypting.

Please sign in to comment.