Centralize password hashing in Model\User

2018-01-19 22:49:06 -05:00 · 2018-01-19 22:49:06 -05:00 · 209c43ebbc
parent b1e3d09533
commit 209c43ebbc
3 changed files with 57 additions and 15 deletions
--- a/mod/lostpass.php
+++ b/mod/lostpass.php
@ -7,6 +7,7 @@
 use Friendica\App;
 use Friendica\Core\System;
 use Friendica\Database\DBM;
+use Friendica\Model\User;

 require_once 'include/boot.php';
 require_once 'include/enotify.php';
@ -84,10 +85,8 @@ function lostpass_content(App $a)
 			return $o;
 		}

-		$new_password = autoname(6) . mt_rand(100, 9999);
-		$new_password_encoded = hash('whirlpool', $new_password);
-
-		$result = dba::update('user', ['password' => $new_password_encoded, 'pwdreset' => ''], ['uid' => $user['uid']]);
+		$new_password = User::generateNewPassword();
+		$result = User::updatePassword($user['uid'], $new_password);
 		if (DBM::is_result($result)) {
 			$tpl = get_markup_template('pwdreset.tpl');
 			$o .= replace_macros($tpl,
--- a/mod/settings.php
+++ b/mod/settings.php
@ -2,14 +2,15 @@
 /**
 * @file mod/settings.php
 */
+
 use Friendica\App;
 use Friendica\Content\Feature;
 use Friendica\Content\Nav;
 use Friendica\Core\Addon;
-use Friendica\Core\System;
-use Friendica\Core\Worker;
 use Friendica\Core\Config;
 use Friendica\Core\PConfig;
+use Friendica\Core\System;
+use Friendica\Core\Worker;
 use Friendica\Database\DBM;
 use Friendica\Model\GContact;
 use Friendica\Model\Group;
@ -391,12 +392,8 @@ function settings_post(App $a)
        }

 		if (!$err) {
-			$password = hash('whirlpool', $newpass);
-			$r = q("UPDATE `user` SET `password` = '%s' WHERE `uid` = %d",
-				dbesc($password),
-				intval(local_user())
-			);
-			if (DBM::is_result($r)) {
+			$result = User::updatePassword(local_user(), $newpass);
+			if (DBM::is_result($result)) {
 				info(t('Password changed.') . EOL);
 			} else {
 				notice(t('Password update failed. Please try again.') . EOL);
--- a/src/Model/User.php
+++ b/src/Model/User.php
@ -142,7 +142,7 @@ class User
 			return false;
 		}

-		$password_hashed = hash('whirlpool', $password);
+		$password_hashed = self::hashPassword($password);

 		if ($password_hashed !== $user['password']) {
 			return false;
@ -151,6 +151,52 @@ class User
 		return $user['uid'];
 	}

+	/**
+	 * Generates a human-readable random password
+	 *
+	 * @return string
+	 */
+	public static function generateNewPassword()
+	{
+		return autoname(6) . mt_rand(100, 9999);
+	}
+
+	/**
+	 * Global user password hashing function
+	 *
+	 * @param string $password
+	 * @return string
+	 */
+	private static function hashPassword($password)
+	{
+		return hash('whirlpool', $password);
+	}
+
+	/**
+	 * Updates a user row with a new plaintext password
+	 *
+	 * @param int    $uid
+	 * @param string $password
+	 * @return bool
+	 */
+	public static function updatePassword($uid, $password)
+	{
+		return self::updatePasswordHashed($uid, self::hashPassword($password));
+	}
+
+	/**
+	 * Updates a user row with a new hashed password.
+	 * Empties the password reset token field just in case.
+	 *
+	 * @param int    $uid
+	 * @param string $pasword_hashed
+	 * @return bool
+	 */
+	private static function updatePasswordHashed($uid, $pasword_hashed)
+	{
+		return dba::update('user', ['password' => $pasword_hashed, 'pwdreset' => ''], ['uid' => $uid]);
+	}
+
 	/**
 	 * @brief Catch-all user creation function
 	 *
@ -290,8 +336,8 @@ class User
 			throw new Exception(t('Nickname is already registered. Please choose another.'));
 		}

-		$new_password = strlen($password) ? $password : autoname(6) . mt_rand(100, 9999);
-		$new_password_encoded = hash('whirlpool', $new_password);
+		$new_password = strlen($password) ? $password : User::generateNewPassword();
+		$new_password_encoded = self::hashPassword($new_password);

 		$return['password'] = $new_password;