Merge pull request #289 from acohn/new_password_api

Use new PHP password hashing API
grinnellplans · May 25, 2018 · 649aad5 · 649aad5
2 parents 3e76ab2 + 946b875
commit 649aad5
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 7 deletions.
diff --git a/changeemail.php b/changeemail.php
@@ -24,7 +24,7 @@ interface_disp_page($thispage);
     if ($changed == 'email') {
         $newemail = $_POST['email'];
         $user = User::get();
-        if (isset($_POST['password']) && ($user->password == crypt($_POST['password'],$user->password))) {
+        if (isset($_POST['password']) && password_verify($_POST['password'],$user->password)) {
 	    if ($newemail == "" || filter_var($newemail, FILTER_VALIDATE_EMAIL) !== false) {
             if (User::setEmail($newemail)) {
 	            $success = new InfoText("Your email address has been updated!",'Success');

diff --git a/composer.json b/composer.json
@@ -3,7 +3,8 @@
     "description": "GrinnellPlans, a social networking site",
     "type": "project",
     "require": {
-        "amazonwebservices/aws-sdk-for-php": "^1.6"
+        "amazonwebservices/aws-sdk-for-php": "^1.6",
+        "ircmaxell/password-compat": "^1.0"
     },
     "license": "gpl3"
 }
diff --git a/composer.lock b/composer.lock
diff --git a/inc/User.php b/inc/User.php
@@ -21,16 +21,23 @@ public static function login($username, $password) {
     public static function checkPassword($username, $password) {
 	$user = User::get($username);
         if ($user == false) return false;
-        $newpass = crypt($password, $user->password);
-        return ($newpass != '' && $newpass == $user->password);
+        if (password_verify($password,$user->password)) {
+            if (password_needs_rehash($user->password, PASSWORD_DEFAULT)) {
+                $user->password = User::hashPassword($password);
+                $user->save();
+            }
+            return true;
+        } else {
+            return false;
+        }
     }
     /**
      * @return boolean true if password updated successfully
      */
     public static function changePassword($username, $newpassword, $oldpassword = null) {
         $user = User::get($username);
         if ($user->username != $username) return false;
-        if (($oldpassword !== null) && ($user->password != crypt($oldpassword,$user->password)))
+        if (($oldpassword !== null) && (!password_verify($oldpassword,$user->password)))
             return false;
         if (strlen($newpassword) < 4) return false;
         $user->password = User::hashPassword($newpassword);
@@ -111,7 +118,7 @@ public static function setEmail($email, $username = null) {
      * @return string a one-way hash of the password, suitable for storage
      */
     public static function hashPassword($password) {
-        return crypt($password);
+        return password_hash($password,PASSWORD_DEFAULT);
     }
 
     public static function get($username = null) {