Centralize password hashing in Model\User

This commit is contained in:
Hypolite Petovan 2018-01-19 22:49:06 -05:00
parent b1e3d09533
commit 209c43ebbc
3 changed files with 57 additions and 15 deletions

View file

@ -7,6 +7,7 @@
use Friendica\App; use Friendica\App;
use Friendica\Core\System; use Friendica\Core\System;
use Friendica\Database\DBM; use Friendica\Database\DBM;
use Friendica\Model\User;
require_once 'include/boot.php'; require_once 'include/boot.php';
require_once 'include/enotify.php'; require_once 'include/enotify.php';
@ -84,10 +85,8 @@ function lostpass_content(App $a)
return $o; return $o;
} }
$new_password = autoname(6) . mt_rand(100, 9999); $new_password = User::generateNewPassword();
$new_password_encoded = hash('whirlpool', $new_password); $result = User::updatePassword($user['uid'], $new_password);
$result = dba::update('user', ['password' => $new_password_encoded, 'pwdreset' => ''], ['uid' => $user['uid']]);
if (DBM::is_result($result)) { if (DBM::is_result($result)) {
$tpl = get_markup_template('pwdreset.tpl'); $tpl = get_markup_template('pwdreset.tpl');
$o .= replace_macros($tpl, $o .= replace_macros($tpl,

View file

@ -2,14 +2,15 @@
/** /**
* @file mod/settings.php * @file mod/settings.php
*/ */
use Friendica\App; use Friendica\App;
use Friendica\Content\Feature; use Friendica\Content\Feature;
use Friendica\Content\Nav; use Friendica\Content\Nav;
use Friendica\Core\Addon; use Friendica\Core\Addon;
use Friendica\Core\System;
use Friendica\Core\Worker;
use Friendica\Core\Config; use Friendica\Core\Config;
use Friendica\Core\PConfig; use Friendica\Core\PConfig;
use Friendica\Core\System;
use Friendica\Core\Worker;
use Friendica\Database\DBM; use Friendica\Database\DBM;
use Friendica\Model\GContact; use Friendica\Model\GContact;
use Friendica\Model\Group; use Friendica\Model\Group;
@ -391,12 +392,8 @@ function settings_post(App $a)
} }
if (!$err) { if (!$err) {
$password = hash('whirlpool', $newpass); $result = User::updatePassword(local_user(), $newpass);
$r = q("UPDATE `user` SET `password` = '%s' WHERE `uid` = %d", if (DBM::is_result($result)) {
dbesc($password),
intval(local_user())
);
if (DBM::is_result($r)) {
info(t('Password changed.') . EOL); info(t('Password changed.') . EOL);
} else { } else {
notice(t('Password update failed. Please try again.') . EOL); notice(t('Password update failed. Please try again.') . EOL);

View file

@ -142,7 +142,7 @@ class User
return false; return false;
} }
$password_hashed = hash('whirlpool', $password); $password_hashed = self::hashPassword($password);
if ($password_hashed !== $user['password']) { if ($password_hashed !== $user['password']) {
return false; return false;
@ -151,6 +151,52 @@ class User
return $user['uid']; return $user['uid'];
} }
/**
* Generates a human-readable random password
*
* @return string
*/
public static function generateNewPassword()
{
return autoname(6) . mt_rand(100, 9999);
}
/**
* Global user password hashing function
*
* @param string $password
* @return string
*/
private static function hashPassword($password)
{
return hash('whirlpool', $password);
}
/**
* Updates a user row with a new plaintext password
*
* @param int $uid
* @param string $password
* @return bool
*/
public static function updatePassword($uid, $password)
{
return self::updatePasswordHashed($uid, self::hashPassword($password));
}
/**
* Updates a user row with a new hashed password.
* Empties the password reset token field just in case.
*
* @param int $uid
* @param string $pasword_hashed
* @return bool
*/
private static function updatePasswordHashed($uid, $pasword_hashed)
{
return dba::update('user', ['password' => $pasword_hashed, 'pwdreset' => ''], ['uid' => $uid]);
}
/** /**
* @brief Catch-all user creation function * @brief Catch-all user creation function
* *
@ -290,8 +336,8 @@ class User
throw new Exception(t('Nickname is already registered. Please choose another.')); throw new Exception(t('Nickname is already registered. Please choose another.'));
} }
$new_password = strlen($password) ? $password : autoname(6) . mt_rand(100, 9999); $new_password = strlen($password) ? $password : User::generateNewPassword();
$new_password_encoded = hash('whirlpool', $new_password); $new_password_encoded = self::hashPassword($new_password);
$return['password'] = $new_password; $return['password'] = $new_password;