From b6c726bad52deb0403fa3dba7fa9e4ce3ed841a4 Mon Sep 17 00:00:00 2001 From: Roman Hergenreder Date: Tue, 23 Jun 2020 18:40:43 +0200 Subject: [PATCH] Changed user hash --- core/Api/Request.class.php | 3 +- core/Api/UserAPI.class.php | 40 ++++++++++++--------- core/Configuration/CreateDatabase.class.php | 3 +- core/Documents/Install.class.php | 37 ++++++++----------- 4 files changed, 40 insertions(+), 43 deletions(-) diff --git a/core/Api/Request.class.php b/core/Api/Request.class.php index 05cb79b..41bd17d 100644 --- a/core/Api/Request.class.php +++ b/core/Api/Request.class.php @@ -118,7 +118,8 @@ class Request { return false; } - if($this->loginRequired || !empty($this->requiredGroup)) { + // TODO: Check this! + if($this->externalCall && ($this->loginRequired || !empty($this->requiredGroup))) { $apiKeyAuthorized = false; if(isset($values['api_key']) && $this->apiKeyAllowed) { $apiKey = $values['api_key']; diff --git a/core/Api/UserAPI.class.php b/core/Api/UserAPI.class.php index d9ec54b..4da2dfe 100644 --- a/core/Api/UserAPI.class.php +++ b/core/Api/UserAPI.class.php @@ -44,10 +44,9 @@ namespace Api { protected function insertUser($username, $email, $password) { $sql = $this->user->getSQL(); - $salt = generateRandomString(16); - $hash = $this->hashPassword($password, $salt); - $res = $sql->insert("User", array("name", "password", "salt", "email")) - ->addRow($username, $hash, $salt, $email) + $hash = $this->hashPassword($password); + $res = $sql->insert("User", array("name", "password", "email")) + ->addRow($username, $hash, $email) ->returning("uid") ->execute(); @@ -61,9 +60,8 @@ namespace Api { return $this->success; } - // TODO: replace this with crypt() in the future - protected function hashPassword($password, $salt) { - return hash('sha256', $password . $salt); + protected function hashPassword($password) { + return password_hash($password, PASSWORD_BCRYPT); } protected function checkToken($token) { @@ -135,17 +133,27 @@ namespace Api\User { $username = $this->getParam('username'); $email = $this->getParam('email'); + $password = $this->getParam('password'); + $confirmPassword = $this->getParam('confirmPassword'); + + if(strlen($username) < 5 || strlen($username) > 32) { + return $this->createError("The username should be between 5 and 32 characters long"); + } else if(strcmp($password, $confirmPassword) !== 0) { + return $this->createError("The given passwords do not match"); + } else if(strlen($password) < 6) { + return $this->createError("The password should be at least 6 characters long"); + } + if (!$this->userExists($username, $email)) { return false; } - $password = $this->getParam('password'); - $confirmPassword = $this->getParam('confirmPassword'); - if ($password !== $confirmPassword) { - return $this->createError("The given passwords do not match."); + $id = $this->insertUser($username, $email, $password); + if ($this->success) { + $this->result["userId"] = $id; } - return $this->insertUser($username, $email, $password) !== FALSE; + return $this->success; } } @@ -405,7 +413,7 @@ If the invitation was not intended, you can simply ignore this email.

getParam('stayLoggedIn'); $sql = $this->user->getSQL(); - $res = $sql->select("User.uid", "User.password", "User.salt") + $res = $sql->select("User.uid", "User.password") ->from("User") ->where(new Compare("User.name", $username)) ->execute(); @@ -418,10 +426,8 @@ If the invitation was not intended, you can simply ignore this email.

wrongCredentials(); } else { $row = $res[0]; - $salt = $row['salt']; $uid = $row['uid']; - $hash = $this->hashPassword($password, $salt); - if ($hash === $row['password']) { + if (password_verify($password, $row['password'])) { if (!($this->success = $this->user->createSession($uid, $stayLoggedIn))) { return $this->createError("Error creating Session: " . $sql->getLastError()); } else { @@ -620,7 +626,7 @@ If the registration was not intended, you can simply ignore this email.

< if ($usernameChanged) $query->set("name", $username); if ($emailChanged) $query->set("email", $email); - if (!is_null($password)) $query->set("password", $this->hashPassword($password, $user[0]["salt"])); + if (!is_null($password)) $query->set("password", $this->hashPassword($password)); $query->where(new Compare("User.uid", $id)); $res = $query->execute(); diff --git a/core/Configuration/CreateDatabase.class.php b/core/Configuration/CreateDatabase.class.php index c889e81..f64b4cf 100755 --- a/core/Configuration/CreateDatabase.class.php +++ b/core/Configuration/CreateDatabase.class.php @@ -28,8 +28,7 @@ class CreateDatabase { ->addSerial("uid") ->addString("email", 64, true) ->addString("name", 32) - ->addString("salt", 16) - ->addString("password", 64) + ->addString("password", 128) ->addInt("language_id", true, 1) ->addDateTime("registered_at", false, $sql->currentTimestamp()) ->primaryKey("uid") diff --git a/core/Documents/Install.class.php b/core/Documents/Install.class.php index 2a5e5bc..5d43785 100644 --- a/core/Documents/Install.class.php +++ b/core/Documents/Install.class.php @@ -313,32 +313,23 @@ namespace Documents\Install { if(!$success) { $msg = "Please fill out the following inputs:
" . $this->createUnorderedList($missingInputs); - } else if(strlen($username) < 5 || strlen($username) > 32) { - $msg = "The username should be between 5 and 32 characters long"; - $success = false; - } else if(strcmp($password, $confirmPassword) !== 0) { - $msg = "The given passwords do not match"; - $success = false; - } else if(strlen($password) < 6) { - $msg = "The password should be at least 6 characters long"; - $success = false; - } else if($email && Parameter::parseType($email) !== Parameter::TYPE_EMAIL) { - $msg = "Invalid email address"; - $success = false; } else { - $salt = generateRandomString(16); - $hash = hash('sha256', $password . $salt); $sql = $user->getSQL(); + $req = new \Api\User\Create($user); + $success = $req->execute(array( + 'username' => $username, + 'email' => $email, + 'password' => $password, + 'confirmPassword' => $confirmPassword, + )); - $success = $sql->insert("User", array("name", "salt", "password", "email")) - ->addRow($username, $salt, $hash, $email) - ->returning("uid") - ->execute() - && $sql->insert("UserGroup", array("group_id", "user_id")) - ->addRow(USER_GROUP_ADMIN, $sql->getLastInsertId()) - ->execute(); - - $msg = $sql->getLastError(); + $msg = $req->getLastError(); + if ($success) { + $success = $sql->insert("UserGroup", array("group_id", "user_id")) + ->addRow(USER_GROUP_ADMIN, $req->getResult()["userId"]) + ->execute(); + $msg = $sql->getLastError(); + } } return array("msg" => $msg, "success" => $success);