coa/aowow
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Account/Passwords

Browse source 
* use buildin php functions to handle passwords
 * increase cost of BCRYPT
 * make use of the SensitiveParameter attribute
This commit is contained in:
Sarjuuk 2025-10-12 04:42:34 +02:00
parent dd838fa994
commit fb7b22db36
2 changed files with 10 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

2
config/extAuth.php.in
View file

@ -4,7 +4,7 @@ if (!defined('AOWOW_REVISION'))
die('illegal access'); die('illegal access');
function extAuth(string &$usernameOrEmail, string $password, int &$userId = 0, int &$userGroup = -1) : int function extAuth(string &$usernameOrEmail, #[\SensitiveParameter] string $password, int &$userId = 0, int &$userGroup = -1) : int
{ {
/* /*
insert some auth mechanism here insert some auth mechanism here

27
includes/user.class.php
View file

@ -236,7 +236,7 @@ class User
/* auth mechanisms */ /* auth mechanisms */
/*******************/ /*******************/
public static function authenticate(string $login, string $password) : int public static function authenticate(string $login, #[\SensitiveParameter] string $password) : int
{ {
$userId = 0; $userId = 0;
@ -259,7 +259,7 @@ class User
return $result; return $result;
} }
private static function authSelf(string $nameOrEmail, string $password, int &$userId) : int private static function authSelf(string $nameOrEmail, #[\SensitiveParameter] string $password, int &$userId) : int
{ {
if (!self::$ip) if (!self::$ip)
return AUTH_INTERNAL_ERR; return AUTH_INTERNAL_ERR;
@ -304,7 +304,7 @@ class User
return AUTH_OK; return AUTH_OK;
} }
private static function authRealm(string $name, string $password, int &$userId) : int private static function authRealm(string $name, #[\SensitiveParameter] string $password, int &$userId) : int
{ {
if (!DB::isConnectable(DB_AUTH)) if (!DB::isConnectable(DB_AUTH))
return AUTH_INTERNAL_ERR; return AUTH_INTERNAL_ERR;
@ -327,7 +327,7 @@ class User
return AUTH_OK; return AUTH_OK;
} }
private static function authExtern(string $nameOrEmail, string $password, int &$userId) : int private static function authExtern(string $nameOrEmail, #[\SensitiveParameter] string $password, int &$userId) : int
{ {
if (!file_exists('config/extAuth.php')) if (!file_exists('config/extAuth.php'))
{ {
@ -387,24 +387,15 @@ class User
return $newId ?: 0; return $newId ?: 0;
} }
private static function createSalt() : string // crypt used by us
public static function hashCrypt(#[\SensitiveParameter] string $pass) : string
{ {
$algo = '$2a'; return password_hash($pass, PASSWORD_BCRYPT, ['cost' => 15]);
$strength = '$09';
$salt = '$'.Util::createHash(22);
return $algo.$strength.$salt;
} }
// crypt used by aowow public static function verifyCrypt(#[\SensitiveParameter] string $pass, string $hash) : bool
public static function hashCrypt(string $pass) : string
{ {
return crypt($pass, self::createSalt()); return password_verify($pass, $hash);
}
public static function verifyCrypt(string $pass, string $hash) : bool
{
return $hash === crypt($pass, $hash);
} }
// SRP6 used by TC // SRP6 used by TC