aboutsummaryrefslogtreecommitdiff
path: root/ratatoeskr/backend.php
diff options
context:
space:
mode:
authorLaria Carolin Chabowski <laria@laria.me>2020-09-25 23:09:31 +0200
committerLaria Carolin Chabowski <laria@laria.me>2020-09-25 23:09:31 +0200
commit5e347e4efaa81c2108256dc927208cd55dc10baa (patch)
treefccd9fea24e436ea2f3fa073475b2b665a4c31cf /ratatoeskr/backend.php
parent854fef47192b45517d112e630fe2afa830432253 (diff)
downloadratatoeskr-cms-5e347e4efaa81c2108256dc927208cd55dc10baa.tar.gz
ratatoeskr-cms-5e347e4efaa81c2108256dc927208cd55dc10baa.tar.bz2
ratatoeskr-cms-5e347e4efaa81c2108256dc927208cd55dc10baa.zip
Use password_hash() and friends to hash and verify passwords
Previously I rolled my own password hashing function. While it at least used some sort of salt, it's still a terrible idea. The newly created class PasswordHash wraps the password_hash() family of functions but can also check the old password hash format (to distinguish them, the new password hashes are prefixed with a '!'). In PasswordHash::needsRehash we then always report an hash of the old format as being in need of a rehash. That way, these old hashes will be replaced the next time the user successfully logs in.
Diffstat (limited to 'ratatoeskr/backend.php')
-rw-r--r--ratatoeskr/backend.php15
1 files changed, 11 insertions, 4 deletions
diff --git a/ratatoeskr/backend.php b/ratatoeskr/backend.php
index 12a57de..fefa817 100644
--- a/ratatoeskr/backend.php
+++ b/ratatoeskr/backend.php
@@ -15,9 +15,9 @@ use r7r\ste\Transcompiler;
use r7r\ste\Parser;
use r7r\cms\sys\Env;
use r7r\cms\sys\Esc;
+use r7r\cms\sys\PasswordHash;
require_once(dirname(__FILE__) . "/sys/models.php");
-require_once(dirname(__FILE__) . "/sys/pwhash.php");
require_once(dirname(__FILE__) . "/sys/textprocessors.php");
require_once(dirname(__FILE__) . "/sys/plugin_api.php");
require_once(dirname(__FILE__) . "/languages.php");
@@ -109,9 +109,16 @@ function build_backend_subactions()
if (!empty($_POST["user"])) {
try {
$user = User::by_name($_POST["user"]);
- if (!PasswordHash::validate($_POST["password"], $user->pwhash)) {
+ $password = (string)$_POST["password"];
+ if (!PasswordHash::verify($password, $user->pwhash)) {
throw new Exception();
}
+
+ if (PasswordHash::needsRehash($user->pwhash)) {
+ $user->pwhash = PasswordHash::hash($password);
+ $user->save();
+ }
+
if (!$user->member_of($admin_grp)) {
throw new Exception();
}
@@ -1342,7 +1349,7 @@ function build_backend_subactions()
User::by_name($_POST["username"]);
$ste->vars["error"] = $translation["user_already_exists"];
} catch (DoesNotExistError $e) {
- User::create($_POST["username"], PasswordHash::create($_POST["initial_password"]));
+ User::create($_POST["username"], PasswordHash::hash($_POST["initial_password"]));
$ste->vars["success"] = $translation["successfully_created_user"];
}
}
@@ -1466,7 +1473,7 @@ function build_backend_subactions()
/* New Password? */
if (isset($_POST["new_password"])) {
- $pwhash = PasswordHash::create($_POST["password"]);
+ $pwhash = PasswordHash::hash($_POST["password"]);
$user->pwhash = $pwhash;
if ($user->get_id() == $data["user"]->get_id()) {
$_SESSION["ratatoeskr_pwhash"] = $pwhash;