diff options
author | Thomas Steur <tsteur@users.noreply.github.com> | 2016-12-02 07:08:15 +0300 |
---|---|---|
committer | Matthieu Aubry <mattab@users.noreply.github.com> | 2016-12-02 07:08:15 +0300 |
commit | a9038318a94cc32f0f15add5272322ff6afe71f5 (patch) | |
tree | 9bcd2bf82fe8087e819ce679d07c678b92660ec0 /plugins/Login | |
parent | c10a289bf1e6dc11347b3d0f7235ffd9fa9aaaad (diff) |
Password hashing (#10926)
Diffstat (limited to 'plugins/Login')
-rw-r--r-- | plugins/Login/Auth.php | 26 | ||||
-rw-r--r-- | plugins/Login/PasswordResetter.php | 22 | ||||
-rw-r--r-- | plugins/Login/tests/Integration/LoginTest.php | 5 |
3 files changed, 43 insertions, 10 deletions
diff --git a/plugins/Login/Auth.php b/plugins/Login/Auth.php index 2de99c6934..08bb693108 100644 --- a/plugins/Login/Auth.php +++ b/plugins/Login/Auth.php @@ -8,13 +8,11 @@ */ namespace Piwik\Plugins\Login; -use Exception; use Piwik\AuthResult; -use Piwik\Db; +use Piwik\Auth\Password; use Piwik\Piwik; use Piwik\Plugins\UsersManager\Model; use Piwik\Plugins\UsersManager\UsersManager; -use Piwik\Session; class Auth implements \Piwik\Auth { @@ -27,9 +25,15 @@ class Auth implements \Piwik\Auth */ private $userModel; + /** + * @var Password + */ + private $passwordHelper; + public function __construct() { - $this->userModel = new Model(); + $this->userModel = new Model(); + $this->passwordHelper = new Password(); } /** @@ -49,7 +53,7 @@ class Auth implements \Piwik\Auth */ public function authenticate() { - if (!empty($this->hashedPassword)) { // favor authenticating by password + if (!empty($this->hashedPassword)) { return $this->authenticateWithPassword($this->login, $this->getTokenAuthSecret()); } elseif (is_null($this->login)) { return $this->authenticateWithToken($this->token_auth); @@ -64,7 +68,17 @@ class Auth implements \Piwik\Auth { $user = $this->userModel->getUser($login); - if (!empty($user['login']) && $user['password'] === $passwordHash) { + if (empty($user['login'])) { + return new AuthResult(AuthResult::FAILURE, $login, null); + } + + if ($this->passwordHelper->verify($passwordHash, $user['password'])) { + if ($this->passwordHelper->needsRehash($user['password'])) { + $newPasswordHash = $this->passwordHelper->hash($passwordHash); + + $this->userModel->updateUser($login, $newPasswordHash, $user['email'], $user['alias'], $user['token_auth']); + } + return $this->authenticationSuccess($user); } diff --git a/plugins/Login/PasswordResetter.php b/plugins/Login/PasswordResetter.php index ebbc7577cd..a9190ed659 100644 --- a/plugins/Login/PasswordResetter.php +++ b/plugins/Login/PasswordResetter.php @@ -9,6 +9,7 @@ namespace Piwik\Plugins\Login; use Exception; use Piwik\Access; +use Piwik\Auth\Password; use Piwik\Common; use Piwik\Config; use Piwik\IP; @@ -60,6 +61,11 @@ use Piwik\Url; class PasswordResetter { /** + * @var Password + */ + protected $passwordHelper; + + /** * @var UsersManagerAPI */ protected $usersManagerApi; @@ -104,9 +110,10 @@ class PasswordResetter * @param string|null $confirmPasswordAction * @param string|null $emailFromName * @param string|null $emailFromAddress + * @param Password $passwordHelper */ public function __construct($usersManagerApi = null, $confirmPasswordModule = null, $confirmPasswordAction = null, - $emailFromName = null, $emailFromAddress = null) + $emailFromName = null, $emailFromAddress = null, $passwordHelper = null) { if (empty($usersManagerApi)) { $usersManagerApi = UsersManagerAPI::getInstance(); @@ -130,6 +137,11 @@ class PasswordResetter $emailFromAddress = Config::getInstance()->General['login_password_recovery_email_address']; } $this->emailFromAddress = $emailFromAddress; + + if (empty($passwordHelper)) { + $passwordHelper = new Password(); + } + $this->passwordHelper = $passwordHelper; } /** @@ -383,7 +395,11 @@ class PasswordResetter */ protected function checkPasswordHash($passwordHash) { - UsersManager::checkPasswordHash($passwordHash, Piwik::translate('Login_ExceptionPasswordMD5HashExpected')); + $hashInfo = $this->passwordHelper->info($passwordHash); + + if (!isset($hashInfo['algo']) || 0 >= $hashInfo['algo']) { + throw new Exception(Piwik::translate('Login_ExceptionPasswordMD5HashExpected')); + } } /** @@ -436,7 +452,7 @@ class PasswordResetter private function savePasswordResetInfo($login, $newPassword) { $optionName = $this->getPasswordResetInfoOptionName($login); - $optionData = UsersManager::getPasswordHash($newPassword); + $optionData = $this->passwordHelper->hash(UsersManager::getPasswordHash($newPassword)); Option::set($optionName, $optionData); } diff --git a/plugins/Login/tests/Integration/LoginTest.php b/plugins/Login/tests/Integration/LoginTest.php index f199ae7069..4aac46dbc1 100644 --- a/plugins/Login/tests/Integration/LoginTest.php +++ b/plugins/Login/tests/Integration/LoginTest.php @@ -433,7 +433,10 @@ class LoginTest extends IntegrationTestCase API::getInstance()->addUser($user['login'], $user['password'], $user['email'], $user['alias']); - $user['tokenAuth'] = API::getInstance()->getTokenAuth($user['login'], md5($user['password'])); + $model = new \Piwik\Plugins\UsersManager\Model(); + $dbUser = $model->getUser($user['login']); + + $user['tokenAuth'] = $dbUser['token_auth']; return $user; } |