Incompatibility in documentation on authorization

[rpkamp]

The page Creating a user in M, V, C describes how to add a filter to the user model so it saves the user's password using \lithium\security\Password::hash(). This is fine, but then Simple Authentication continues by using the \lithium\security\auth\adapter\Form, which uses String::hash() (i.e., sha1) to hash passwords.

Thus, if one was to follow the procedure in order, one would end up with a system that does not work because of the different hashing functions.

Either both should use String::hash(), or Simple Authentication should describe how to use \lithium\security\Password::hash() and \lithium\security\Password::check(). The later combination is more secure, that would be my preference. Of course that's just a personal preference, feel free to disagree :)

An example of a working Adapter (that just overrides the check method of the Form Adapter) would be:

<?php

namespace app\extensions\adapter\security\auth;

use \lithium\security\Password;

class PasswordHashedForm extends \lithium\security\auth\adapter\Form
{
    // We don't need to hash the password, so don't use filters
    public $_filters = array();

    /**
     * Check if the supplied credentials are okay
     */
    public function check($credentials, array $options = array()) {
        $model = $this->_model;
        $query = $this->_query;
        $conditions = $this->_scope + $this->_filters(array_map('strval', $credentials->data));

        // do not include the password in the query ...
        unset($conditions['password']);
        $user = $model::$query(compact('conditions'));

        // ... instead verify the password using the Password class
        if (Password::check($credentials->data['password'], $user->password))
            return $user->data();
        return false;
    }

}

?>

[nateabele]

The documentation is against the code in the latest master branch, in which the Form adapter does, in fact, use Password::hash(). Please update your working copy. Thanks.