ENH: refs #952. Change models and controllers to use new password storage

Author: zachmullen

core/AppController.php

@@ -108,7 +108,7 @@ public function preDispatch()
           if(count($tmp) == 2)
             {
             $userDao = $userModel->load($tmp[0]);
-            if($userDao != false && md5($userDao->getPassword()) == $tmp[1])
+            if($userDao != false && $userModel->hashExists($tmp[1]))
               {
               $user->Dao = $userDao;
               }

core/controllers/UserController.php

@@ -102,34 +102,8 @@ function recoverpasswordAction()
           }
         }
 
-      // Create a new password
-      $keychars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
-      $length = 10;
-
-      /** make_seed_recoverpass */
-      function make_seed_recoverpass()
-        {
-        list($usec, $sec) = explode(' ', microtime());
-        return (float) $sec + ((float) $usec * 100000);
-        }
-      srand(make_seed_recoverpass());
-
-      $pass = "";
-      $max = strlen($keychars) - 1;
-      for($i = 0; $i <= $length; $i++)
-        {
-        $pass .= substr($keychars, rand(0, $max), 1);
-        }
-      $encrypted = md5($pass);
-
-      $passwordPrefix = Zend_Registry::get('configGlobal')->password->prefix;
-      $salted = $pass;
-      if(isset($passwordPrefix) && !empty($passwordPrefix))
-        {
-        $salted = $passwordPrefix.$pass;
-        }
-
-      $user->setPassword(md5($salted));
+      $pass = UtilityComponent::generateRandomString(10);
+      $this->User->changePassword($user, $pass);
 
       // Send the email
       $url = $this->getServerURL().$this->view->webroot;
@@ -384,7 +358,7 @@ function verifyemailAction()
       session_start();
       }
     $this->userSession->Dao = $this->User->createUser(
-    $email, $pendingUser->getPassword(), $pendingUser->getFirstname(), $pendingUser->getLastname(), 0, true);
+    $email, null, $pendingUser->getFirstname(), $pendingUser->getLastname(), 0, $pendingUser->getSalt());
     session_write_close();
 
     $this->PendingUser->delete($pendingUser);
@@ -408,8 +382,15 @@ function ajaxloginAction()
       return;
       }
     $userDao = $this->User->getByEmail($form->getValue('email'));
-    $passwordPrefix = Zend_Registry::get('configGlobal')->password->prefix;
-    if($userDao !== false && md5($passwordPrefix.$form->getValue('password')) == $userDao->getPassword())
+    if($userDao === false)
+      {
+      echo JsonComponent::encode(array('status' => 'error', 'message' => 'Invalid username or password'));
+      return;
+      }
+    $instanceSalt = Zend_Registry::get('configGlobal')->password->prefix;
+    $passwordHash = hash($userDao->getHashAlg(), $instanceSalt.$userDao->getSalt().$form->getValue('password'));
+
+    if($this->User->hashExists($passwordHash))
       {
       $notifications = Zend_Registry::get('notifier')->callback('CALLBACK_CORE_AUTH_INTERCEPT', array('user' => $userDao));
       foreach($notifications as $module => $value)
@@ -420,7 +401,11 @@ function ajaxloginAction()
           return;
           }
         }
-      setcookie('midasUtil', $userDao->getKey().'-'.md5($userDao->getPassword()), time() + 60 * 60 * 24 * 30, '/'); //30 days
+      if($userDao->getSalt() == '')
+        {
+        $passwordHash = $this->User->convertLegacyPasswordHash($userDao, $form->getValue('password'));
+        }
+      setcookie('midasUtil', $userDao->getKey().'-'.$passwordHash, time() + 60 * 60 * 24 * 30, '/'); //30 days
       Zend_Session::start();
       $user = new Zend_Session_Namespace('Auth_User');
       $user->setExpirationSeconds(60 * Zend_Registry::get('configGlobal')->session->lifetime);
@@ -431,7 +416,7 @@ function ajaxloginAction()
       }
     else
       {
-      echo JsonComponent::encode(array('status' => 'error', 'message' => 'Login failed'));
+      echo JsonComponent::encode(array('status' => 'error', 'message' => 'Invalid username or password'));
       }
     }
 
@@ -473,10 +458,16 @@ function loginAction()
         if(!$authModule)
           {
           $userDao = $this->User->getByEmail($form->getValue('email'));
+          if($userDao === false)
+            {
+            echo JsonComponent::encode(array('status' => false, 'message' => 'Invalid email or password'));
+            return;
+            }
           }
 
-        $passwordPrefix = Zend_Registry::get('configGlobal')->password->prefix;
-        if($authModule || $userDao !== false && md5($passwordPrefix.$form->getValue('password')) == $userDao->getPassword())
+        $instanceSalt = Zend_Registry::get('configGlobal')->password->prefix;
+        $passwordHash = hash($userDao->getHashAlg(), $instanceSalt.$userDao->getSalt().$form->getValue('password'));
+        if($authModule || $this->User->hashExists($passwordHash))
           {
           $notifications = Zend_Registry::get('notifier')->callback('CALLBACK_CORE_AUTH_INTERCEPT', array('user' => $userDao));
           foreach($notifications as $module => $value)
@@ -487,12 +478,16 @@ function loginAction()
               return;
               }
             }
+          if($userDao->getSalt() == '')
+            {
+            $passwordHash = $this->User->convertLegacyPasswordHash($userDao, $form->getValue('password'));
+            }
           $remember = $form->getValue('remerberMe');
           if(isset($remember) && $remember == 1)
             {
             if(!$this->isTestingEnv())
               {
-              setcookie('midasUtil', $userDao->getKey().'-'.md5($userDao->getPassword()), time() + 60 * 60 * 24 * 30, '/'); //30 days
+              setcookie('midasUtil', $userDao->getKey().'-'.$passwordHash, time() + 60 * 60 * 24 * 30, '/'); //30 days
               }
             }
           else
@@ -533,7 +528,7 @@ function loginAction()
         {
         echo JsonComponent::encode(array(
           'status' => false,
-          'message' => 'Invalid login'));
+          'message' => 'Invalid email or password'));
         }
       }
     } // end method login
@@ -673,22 +668,23 @@ public function settingsAction()
           }
         $oldPass = $this->_getParam('oldPassword');
         $newPass = $this->_getParam('newPassword');
-        $passwordPrefix = Zend_Registry::get('configGlobal')->password->prefix;
-        $userDao = $this->User->load($userDao->getKey());
-        if($userDao != false && ((!$userDao->isAdmin() && $this->userSession->Dao->isAdmin()) || md5($passwordPrefix.$oldPass) == $userDao->getPassword()))
+        $instanceSalt = Zend_Registry::get('configGlobal')->password->prefix;
+        $hashedPasswordOld = hash($userDao->getHashAlg(), $instanceSalt.$userDao->getSalt().$oldPass);
+
+        if((!$userDao->isAdmin() && $this->userSession->Dao->isAdmin()) || $this->User->hashExists($hashedPasswordOld))
           {
-          $userDao->setPassword(md5($passwordPrefix.$newPass));
-          $this->User->save($userDao);
+          $this->User->changePassword($userDao, $newPass);
           if(!isset($userId))
             {
             $this->userSession->Dao = $userDao;
             }
           echo JsonComponent::encode(array(true, $this->t('Changes saved')));
-          Zend_Registry::get('notifier')->callback('CALLBACK_CORE_PASSWORD_CHANGED', array('userDao' => $userDao));
+          Zend_Registry::get('notifier')->callback('CALLBACK_CORE_PASSWORD_CHANGED', array('userDao' => $userDao, 'password' => $newPass));
           }
         else
           {
           echo JsonComponent::encode(array(false, $this->t('The old password is incorrect')));
+          return;
           }
         }
 

core/controllers/components/MIDAS2MigrationComponent.php

@@ -505,7 +505,6 @@ function migrate($userid)
       try
         {
         $userDao = $User->createUser($email, $password, $firstname, $lastname);
-        $userDao->setPassword($password); // this is the encrypted password
         $User->save($userDao);
         }
       catch(Zend_Exception $e)

core/controllers/components/UtilityComponent.php

@@ -622,7 +622,7 @@ public static function generateRandomString($length, $alphabet = null)
 
     $salt = '';
     $max = strlen($alphabet) - 1;
-    for($i = 0; $i <= $length; $i++)
+    for($i = 0; $i < $length; $i++)
       {
       $salt .= substr($alphabet, rand(0, $max), 1);
       }

core/database/upgrade/3.2.12.php

@@ -14,6 +14,7 @@ public function mysql()
     {
     $this->db->query("ALTER TABLE `user` ADD COLUMN `hash_alg` varchar(32) NOT NULL default ''");
     $this->db->query("ALTER TABLE `user` ADD COLUMN `salt` varchar(64) NOT NULL default ''");
+    $this->db->query("ALTER TABLE `pendinguser` ADD COLUMN `salt` varchar(64) NOT NULL default ''");
 
     $this->db->query("CREATE TABLE `password` (
                         `hash` varchar(128) NOT NULL,
@@ -22,12 +23,14 @@ public function mysql()
     $this->_movePasswords();
 
     $this->db->query("ALTER TABLE `user` DROP `password`");
+    $this->db->query("ALTER TABLE `pendinguser` DROP `password`");
     }
 
   public function pgsql()
     {
     $this->db->query("ALTER TABLE \"user\" ADD COLUMN hash_alg character varying(32) NOT NULL DEFAULT ''");
     $this->db->query("ALTER TABLE \"user\" ADD COLUMN salt character varying(64) NOT NULL DEFAULT ''");
+    $this->db->query("ALTER TABLE \"pendinguser\" ADD COLUMN salt character varying(64) NOT NULL DEFAULT ''");
 
     $this->db->query("CREATE TABLE password (
                         hash character varying(128) NOT NULL,
@@ -39,6 +42,7 @@ public function pgsql()
     $this->db->query("CLUSTER password USING password_hash");
 
     $this->db->query("ALTER TABLE \"user\" DROP COLUMN password");
+    $this->db->query("ALTER TABLE \"pendinguser\" DROP COLUMN password");
     }
 
   public function postUpgrade()
@@ -59,9 +63,8 @@ private function _movePasswords()
       {
       $this->db->insert('password', array('hash' => $row['password']));
       }
-    // Set the salt and hash alg to be the old instance wide salt and md5 for legacy users (i.e. all users currently in the system)
-    $instanceSalt = Zend_Registry::get('configGlobal')->password->prefix;
-    $this->db->update('user', array('hash_alg' => 'md5', 'salt' => $instanceSalt));
+    // Set the salt and hash alg to the appropriate value to denote a legacy user
+    $this->db->update('user', array('hash_alg' => 'md5', 'salt' => ''));
     }
 }
 ?>

core/models/base/PendingUserModelBase.php

@@ -38,7 +38,7 @@ public function __construct()
       'email' => array('type' => MIDAS_DATA),
       'firstname' => array('type' => MIDAS_DATA),
       'lastname' => array('type' => MIDAS_DATA),
-      'password' => array('type' => MIDAS_DATA),
+      'salt' => array('type' => MIDAS_DATA),
       'date_creation' => array('type' => MIDAS_DATA)
       );
     $this->initialize(); // required
@@ -49,26 +49,20 @@ public abstract function getByParams($params);
   public abstract function getAllByParams($params);
 
   /**
-   * Create the database record for inviting a user via email that is not registered yet
-   * @param email The email of the user (should not exist in Midas already)
-   * @param group The group to invite the user to
-   * @param inviter The user issuing the invitation (typically the session user)
-   * @return the created NewUserInvitationDao
+   * Create the database record for a user who has registered but not had their email verified yet
    */
   public function createPendingUser($email, $firstName, $lastName, $password)
     {
     $email = strtolower($email);
-    $passwordPrefix = Zend_Registry::get('configGlobal')->password->prefix;
-    if(isset($passwordPrefix) && !empty($passwordPrefix))
-      {
-      $password = $passwordPrefix.$password;
-      }
+    $instanceSalt = Zend_Registry::get('configGlobal')->password->prefix;
+    $userSalt = UtilityComponent::generateRandomString(32);
+
     $pendingUser = MidasLoader::newDao('PendingUserDao');
     $pendingUser->setEmail($email);
     $pendingUser->setAuthKey(UtilityComponent::generateRandomString(64, '0123456789abcdef'));
     $pendingUser->setFirstname($firstName);
     $pendingUser->setLastname($lastName);
-    $pendingUser->setPassword(md5($password));
+    $pendingUser->setSalt($userSalt);
     $pendingUser->setDateCreation(date('c'));
 
     $userModel = MidasLoader::loadModel('User');
@@ -82,6 +76,7 @@ public function createPendingUser($email, $firstName, $lastName, $password)
       {
       $this->delete($existingPendingUser);
       }
+    $userModel->storePasswordHash(hash('sha256', $instanceSalt.$userSalt.$password));
 
     $this->save($pendingUser);
     return $pendingUser;