You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The page Creating a user in M, V, C describes how to add a filter to the user model so it saves the user's password using \lithium\security\Password::hash(). This is fine, but then Simple Authentication continues by using the \lithium\security\auth\adapter\Form, which uses String::hash() (i.e., sha1) to hash passwords.
Thus, if one was to follow the procedure in order, one would end up with a system that does not work because of the different hashing functions.
Either both should use String::hash(), or Simple Authentication should describe how to use \lithium\security\Password::hash() and \lithium\security\Password::check(). The later combination is more secure, that would be my preference. Of course that's just a personal preference, feel free to disagree :)
An example of a working Adapter (that just overrides the check method of the Form Adapter) would be:
<?phpnamespace app\extensions\adapter\security\auth;
use \lithium\security\Password;
classPasswordHashedFormextends \lithium\security\auth\adapter\Form
{
// We don't need to hash the password, so don't use filterspublic$_filters = array();
/** * Check if the supplied credentials are okay */publicfunctioncheck($credentials, array$options = array()) {
$model = $this->_model;
$query = $this->_query;
$conditions = $this->_scope + $this->_filters(array_map('strval', $credentials->data));
// do not include the password in the query ...
unset($conditions['password']);
$user = $model::$query(compact('conditions'));
// ... instead verify the password using the Password classif (Password::check($credentials->data['password'], $user->password))
return$user->data();
returnfalse;
}
}
?>
The text was updated successfully, but these errors were encountered:
The documentation is against the code in the latest master branch, in which the Form adapter does, in fact, use Password::hash(). Please update your working copy. Thanks.
The page Creating a user in M, V, C describes how to add a filter to the user model so it saves the user's password using \lithium\security\Password::hash(). This is fine, but then Simple Authentication continues by using the \lithium\security\auth\adapter\Form, which uses String::hash() (i.e., sha1) to hash passwords.
Thus, if one was to follow the procedure in order, one would end up with a system that does not work because of the different hashing functions.
Either both should use String::hash(), or Simple Authentication should describe how to use \lithium\security\Password::hash() and \lithium\security\Password::check(). The later combination is more secure, that would be my preference. Of course that's just a personal preference, feel free to disagree :)
An example of a working Adapter (that just overrides the
check
method of the Form Adapter) would be:The text was updated successfully, but these errors were encountered: