From: Robert Kaiser Date: Wed, 26 Oct 2016 22:32:28 +0000 (+0200) Subject: move password functions into utils class X-Git-Url: https://git-public.kairo.at/?a=commitdiff_plain;h=be1082a69cdf3dec7db4060198834dd43ae6290f;p=authserver.git move password functions into utils class --- diff --git a/authsystem.inc.php b/authsystem.inc.php index 62c6a80..53462c1 100644 --- a/authsystem.inc.php +++ b/authsystem.inc.php @@ -10,8 +10,6 @@ ini_set('display_errors', 1); error_reporting(E_ALL); $dbdata = json_decode(file_get_contents('/etc/kairo/auth_db.json'), true); if (!is_array($dbdata)) { trigger_error('DB configuration not found', E_USER_ERROR); } -$pwd_options = array('cost' => 10); - // Extended DOM document class require_once('../kairo/include/cbsm/util/document.php-class'); // Class for sending emails diff --git a/authutils.php-class b/authutils.php-class index 6686f7b..dfb89a2 100755 --- a/authutils.php-class +++ b/authutils.php-class @@ -7,6 +7,9 @@ class AuthUtils { // KaiRo.at authentication utilities PHP class // This class contains helper functions for the authentication system. // + // private static $pwd_cost + // Store cost parameter for use with PHP password_hash function. + // // static function checkPasswordConstraints($new_password, $user_email) // Check password constraints and return an array of error messages (empty if all constraints are met). // @@ -24,6 +27,17 @@ class AuthUtils { // static function verifyTimeCode($timecode_to_verify, $session, [$validity_minutes]) // Verify a given time-based code and return true if it's valid or false if it's not. // See createTimeCode() documentation for the session and validity paramerters. + // + // static function pwdHash($new_password) + // Return a hash for the given password. + // + // static function pwdVerify($password_to_verify, $user) + // Return true if the password verifies against the pwdhash field of the user, false if not. + // + // static function pwdNeedsRehash($user) + // Return true if the pwdhash field of the user uses an outdated standard and needs to be rehashed. + + private static $pwd_cost = 10; static function checkPasswordConstraints($new_password, $user_email) { $errors = array(); @@ -73,9 +87,21 @@ class AuthUtils { static function verifyTimeCode($timecode_to_verify, $session, $validity_minutes = 10) { if (preg_match('/^(\d+)\.\d+$/', $timecode_to_verify, $regs)) { - return ($timecode_to_verify === AuthUtils::createTimeCode($session, $regs[1], $validity_minutes)); + return ($timecode_to_verify === self::createTimeCode($session, $regs[1], $validity_minutes)); } return false; } + + static function pwdHash($new_password) { + return password_hash($new_password, PASSWORD_DEFAULT, array('cost' => self::$pwd_cost)); + } + + static function pwdVerify($password_to_verify, $userdata) { + return password_verify($password_to_verify, $userdata['pwdhash'])); + } + + static function pwdNeedsRehash($userdata) { + return password_needs_rehash($userdata['pwdhash'], PASSWORD_DEFAULT, array('cost' => self::$pwd_cost)); + } } ?> diff --git a/index.php b/index.php index 2a560e8..3febbbf 100644 --- a/index.php +++ b/index.php @@ -59,12 +59,12 @@ if (!count($errors)) { $user = $result->fetch(PDO::FETCH_ASSOC); if ($user['id'] && array_key_exists('pwd', $_POST)) { // existing user, check password - if (($user['status'] == 'ok') && password_verify(@$_POST['pwd'], $user['pwdhash'])) { + if (($user['status'] == 'ok') && AuthUtils::pwdVerify(@$_POST['pwd'], $user)) { // Check if a newer hashing algorithm is available // or the cost has changed - if (password_needs_rehash($user['pwdhash'], PASSWORD_DEFAULT, $pwd_options)) { + if (AuthUtils::pwdNeedsRehash($user)) { // If so, create a new hash, and replace the old one - $newHash = password_hash($_POST['pwd'], PASSWORD_DEFAULT, $pwd_options); + $newHash = AuthUtils::pwdHash($_POST['pwd']); $result = $db->prepare('UPDATE `auth_users` SET `pwdhash` = :pwdhash WHERE `id` = :userid;'); if (!$result->execute(array(':pwdhash' => $newHash, ':userid' => $user['id']))) { // XXXlog: Failed to update user hash! @@ -120,7 +120,7 @@ if (!count($errors)) { if (!count($errors)) { // Put user into the DB if (!$user['id']) { - $newHash = password_hash($_POST['pwd'], PASSWORD_DEFAULT, $pwd_options); + $newHash = AuthUtils::pwdHash($_POST['pwd']); $vcode = AuthUtils::createVerificationCode(); $result = $db->prepare('INSERT INTO `auth_users` (`email`, `pwdhash`, `status`, `verify_hash`) VALUES (:email, :pwdhash, \'unverified\', :vcode);'); if (!$result->execute(array(':email' => $_POST['email'], ':pwdhash' => $newHash, ':vcode' => $vcode))) { @@ -292,7 +292,7 @@ if (!count($errors)) { } $errors += AuthUtils::checkPasswordConstraints(strval($_POST['pwd']), $user['email']); if (!count($errors)) { - $newHash = password_hash($_POST['pwd'], PASSWORD_DEFAULT, $pwd_options); + $newHash = AuthUtils::pwdHash($_POST['pwd']); $result = $db->prepare('UPDATE `auth_users` SET `pwdhash` = :pwdhash, `verify_hash` = \'\' WHERE `id` = :userid;'); if (!$result->execute(array(':pwdhash' => $newHash, ':userid' => $session['user']))) { // XXXlog: Password reset failure!