Password hashing (#10926)

3 files changed, 43 insertions, 10 deletions

diff --git a/plugins/Login/Auth.php b/plugins/Login/Auth.php
index 2de99c6934..08bb693108 100644
--- a/plugins/Login/Auth.php
+++ b/plugins/Login/Auth.php
@@ -8,13 +8,11 @@
  */
 namespace Piwik\Plugins\Login;
 
-use Exception;
 use Piwik\AuthResult;
-use Piwik\Db;
+use Piwik\Auth\Password;
 use Piwik\Piwik;
 use Piwik\Plugins\UsersManager\Model;
 use Piwik\Plugins\UsersManager\UsersManager;
-use Piwik\Session;
 
 class Auth implements \Piwik\Auth
 {
@@ -27,9 +25,15 @@ class Auth implements \Piwik\Auth
      */
     private $userModel;
 
+    /**
+     * @var Password
+     */
+    private $passwordHelper;
+
     public function __construct()
     {
-        $this->userModel = new Model();
+        $this->userModel      = new Model();
+        $this->passwordHelper = new Password();
     }
 
     /**
@@ -49,7 +53,7 @@ class Auth implements \Piwik\Auth
      */
     public function authenticate()
     {
-        if (!empty($this->hashedPassword)) { // favor authenticating by password
+        if (!empty($this->hashedPassword)) {
             return $this->authenticateWithPassword($this->login, $this->getTokenAuthSecret());
         } elseif (is_null($this->login)) {
             return $this->authenticateWithToken($this->token_auth);
@@ -64,7 +68,17 @@ class Auth implements \Piwik\Auth
     {
         $user = $this->userModel->getUser($login);
 
-        if (!empty($user['login']) && $user['password'] === $passwordHash) {
+        if (empty($user['login'])) {
+            return new AuthResult(AuthResult::FAILURE, $login, null);
+        }
+
+        if ($this->passwordHelper->verify($passwordHash, $user['password'])) {
+            if ($this->passwordHelper->needsRehash($user['password'])) {
+                $newPasswordHash = $this->passwordHelper->hash($passwordHash);
+
+                $this->userModel->updateUser($login, $newPasswordHash, $user['email'], $user['alias'], $user['token_auth']);
+            }
+
             return $this->authenticationSuccess($user);
         }
 
diff --git a/plugins/Login/PasswordResetter.php b/plugins/Login/PasswordResetter.php
index ebbc7577cd..a9190ed659 100644
--- a/plugins/Login/PasswordResetter.php
+++ b/plugins/Login/PasswordResetter.php
@@ -9,6 +9,7 @@ namespace Piwik\Plugins\Login;
 
 use Exception;
 use Piwik\Access;
+use Piwik\Auth\Password;
 use Piwik\Common;
 use Piwik\Config;
 use Piwik\IP;
@@ -60,6 +61,11 @@ use Piwik\Url;
 class PasswordResetter
 {
     /**
+     * @var Password
+     */
+    protected $passwordHelper;
+
+    /**
      * @var UsersManagerAPI
      */
     protected $usersManagerApi;
@@ -104,9 +110,10 @@ class PasswordResetter
      * @param string|null $confirmPasswordAction
      * @param string|null $emailFromName
      * @param string|null $emailFromAddress
+     * @param Password $passwordHelper
      */
     public function __construct($usersManagerApi = null, $confirmPasswordModule = null, $confirmPasswordAction = null,
-                                $emailFromName = null, $emailFromAddress = null)
+                                $emailFromName = null, $emailFromAddress = null, $passwordHelper = null)
     {
         if (empty($usersManagerApi)) {
             $usersManagerApi = UsersManagerAPI::getInstance();
@@ -130,6 +137,11 @@ class PasswordResetter
             $emailFromAddress = Config::getInstance()->General['login_password_recovery_email_address'];
         }
         $this->emailFromAddress = $emailFromAddress;
+
+        if (empty($passwordHelper)) {
+            $passwordHelper = new Password();
+        }
+        $this->passwordHelper = $passwordHelper;
     }
 
     /**
@@ -383,7 +395,11 @@ class PasswordResetter
      */
     protected function checkPasswordHash($passwordHash)
     {
-        UsersManager::checkPasswordHash($passwordHash, Piwik::translate('Login_ExceptionPasswordMD5HashExpected'));
+        $hashInfo = $this->passwordHelper->info($passwordHash);
+
+        if (!isset($hashInfo['algo']) || 0 >= $hashInfo['algo']) {
+            throw new Exception(Piwik::translate('Login_ExceptionPasswordMD5HashExpected'));
+        }
     }
 
     /**
@@ -436,7 +452,7 @@ class PasswordResetter
     private function savePasswordResetInfo($login, $newPassword)
     {
         $optionName = $this->getPasswordResetInfoOptionName($login);
-        $optionData = UsersManager::getPasswordHash($newPassword);
+        $optionData = $this->passwordHelper->hash(UsersManager::getPasswordHash($newPassword));
 
         Option::set($optionName, $optionData);
     }
diff --git a/plugins/Login/tests/Integration/LoginTest.php b/plugins/Login/tests/Integration/LoginTest.php
index f199ae7069..4aac46dbc1 100644
--- a/plugins/Login/tests/Integration/LoginTest.php
+++ b/plugins/Login/tests/Integration/LoginTest.php
@@ -433,7 +433,10 @@ class LoginTest extends IntegrationTestCase
 
         API::getInstance()->addUser($user['login'], $user['password'], $user['email'], $user['alias']);
 
-        $user['tokenAuth'] = API::getInstance()->getTokenAuth($user['login'], md5($user['password']));
+        $model  = new \Piwik\Plugins\UsersManager\Model();
+        $dbUser = $model->getUser($user['login']);
+
+        $user['tokenAuth'] = $dbUser['token_auth'];
 
         return $user;
     }