I'm using DynamoDB for my application so the doctrine ORM isn't an option for me when it comes to authentication.
I've created a basic user provider and have it working perfectly when using a sha1 hash, however I'm completely stuck / don't understand how to get it working with salt.
FYI: My code is based on this guide from the manual
Code:
Once the 'new user' form has been submitted a grab the raw data and do the following then persist to the DB - this works fine:
$salt = '79fdshjh408hjhgd87r5438ujl';
$password = base64_encode(sha1($rawPassword.'{'.$salt.'}'));
When authenticating I have a 'userProvider' that requests the users details based on username from the DB - this also works fine and I'm returned all the details
//WebserviceUserProvider.php
$username = $userData['userName'];
$password = $userData['password'];
$roles[0] = 'ROLE_ADMIN';
$salt = '79fdshjh408hjhgd87r5438ujl';
return new WebserviceUser($username, $password, $salt, $roles);
the WebserviceUser file is a direct copy of the one in the docs:
security.yml
security:
encoders:
HvH\SecurityBundle\Security\WebserviceUser:
algorithm: sha1
iterations: 1
encode_as_base64: true
If anyone could point me in the right direction, it would be much appreciated.
Thank you
Related
please please someone help me , my boss would kill me , this code is not working in laravel , because password is hashed , it is bcryted , how do i compare and get my us_id ( wich stands for username_id ) , the one that tried to login but has the wrong password , do you have any suggestioin , what i'm trying to do is very simple , i'm trying to understand if the user entered a wrong password but his/her username is right . i am beginner . sorry for that :( . i know this won't work , but what should i do to understand if the user entered a wrong password ?
public function login(Request $request, Logs $logs)
{
$password = $request->input('password');
$myuser = \DB::table('users')->where('password', $password)->first();
if (\Hash::check($password, $myuser->password)) {
$logdata = $myuser->id;
$logs->insert($logdata);
return view('MainPages.example', ['pass' => $password]);
}
}
The password is hashed by Laravel, so use the Hash::check() method:
if (\Hash::check($password, $myuser1->password)) {
The Laravel Hash facade provides secure Bcrypt hashing for storing user passwords. If you are using the built-in LoginController and RegisterController classes that are included with your Laravel application, they will automatically use Bcrypt for registration and authentication.
https://laravel.com/docs/5.5/hashing
You can't expect this to work.
Passwords are stored encrypted. Multiple people could theoretically have the exact same password, but none of them would look identical when stored. Therefore you don't know what to look for in the record, even if you know what password you are looking for because you don't know what salt was used for the particular record where it is stored.
You just can't retrieve a record on a password lookup like this. Rather, you have to retrieve the record first (based on some other key, eg. username or id) and then see if the password encrypts to match from the given password that has the ever important salt.
What type of hashing algorithm is used by default for passwords in Laravel. If we want to change the password in the database then how can we identify the hash type of the password?
According to Laravel Documentation :
The Laravel Hash facade provides secure Bcrypt hashing for storing
user passwords. If you are using the AuthController controller that is
included with your Laravel application, it will be take care of
verifying the Bcrypt password against the un-hashed version provided
by the user.
Likewise, the user Registrar service that ships with Laravel makes the
proper bcrypt function call to hash stored passwords.
Hashing A Password Using Bcrypt
$password = Hash::make('secret');
You may also use the bcrypt helper function:
$password = bcrypt('secret');
Verifying A Password Against A Hash
if (Hash::check('secret', $hashedPassword))
{
// The passwords match...
}
Checking If A Password Needs To Be Rehashed
if (Hash::needsRehash($hashed))
{
$hashed = Hash::make('secret');
}
You can also use laravel/tinker to update/create/delete/etc data in the DB table from console, for example:
php artisan tinker
>>$user = App\Models\User::find(2);// or User::find(2)find user with id 2
>>$user->password = bcrypt('test83403'); //change password
>>$user->save(); //save the new change
I've been given the task of transferring a user database from one FOSUserBundle/Symfony project to another.
My sample user from the old project has been transferred over to the new project containing all the same fields [ salt, password, etc ], yet I'm unable to login using the same username / password combination.
What else goes into the password storage in FOSUserBundle that would make the password + salt combination invalid between projects, and how can I transfer the raw data of the old project into the new project.
My input is a JSON file with all the user table details. I am importing this through PHP, and creating and persisting user objects in a loop without using fos_user.user_manager.
foreach ($obj as $userData) {
if (isset($userData['personalDetails'])) {
if (isset($userData['personalDetails']['firstName'])) {
/** #var User $user */
$user = new User();
$user->setId($userData['id']);
$user->setSalt($userData['salt']);
$user->setPassword($userData['password']);
$user->setUsername($userData['email']);
$user->setEmail($userData['email']);
$user->setEnabled($userData['enabled']);
$user->setExpired($userData['expired']);
$user->getPersonalDetails()->setFirstName($userData['personalDetails']['firstName']);
$user->getPersonalDetails()->setLastName($userData['personalDetails']['lastName']);
$user->setFacebookId($userData['facebookId']);
$user->setFacebookAccessToken($userData['facebookAccessToken']);
$user->setGoogleId($userData['googleId']);
$user->setGoogleAccessToken($userData['googleAccessToken']);
$this->getDoctrine()->getManager()->persist($user);
}
}
}
You can use the same table (FOSUSER) with your new project or just dump your table and move it to your new database.
If you do that, you have to keep the same "Encoder configuration" on the security as the old project.
The UserPassword only need the salt, the PlainPassword and user the encoded user to create the hashed password. If you have the same configuration in the configuration in the new project like the old one everything will be ok. Hope I help you .. Let us know.
//Security.yml
security:
encoders:
Site\UserBundle\Entity\User: sha512
FOS\UserBundle\Model\UserInterface: sha512
I am trying to use my stored passwords from Laravel 4 in a fresh Phalcon Installation. I have no idea whether this is possible and tried it this way in the SessionController of the Phalcon sample-apllication INVO:
#$password = sha1($password);
$password = password_hash($password, PASSWORD_BCRYPT);
Can I use another Hash-Algorythm in phalcon, that fits to Laravel 4 Passwords, or can I convert the hashes somehow?
You should be able to use laravel hashses - all you need to do is to check how Laravel is creating and checking them.
Check this code from BCryptHasher::make() and this for validating.
The problem is that in Laravel this algorithm is a bit different. First is obtaining user from database then checking if password is the same with password_verify. While in INVO you first hash the given password and then you search for a user with given email and hash - if it finds anything then it can log user. Below should do the trick knowing the $cost value from Laravel settings (class defaults to 10).
$password = password_hash($value, PASSWORD_BCRYPT, array('cost' => $cost));
Edit: while above would be true for SHA1 & similar. The INVO code should be changed to match the login algorithm in Laravel and BCrypt itself:
$user = Users::findFirst(array("email = :email: AND active='Y'", 'bind' => array('email' => $email));
if ($user != false && password_verify($user->password, $this->request->getPost('password'))) {
// login user
}
Laravel is using BCrypt for a reason - it is generally very good choice for hashing so you should stick to it.
Anyway you could write a password migration which will do upon each user successful login:
validate user password using old hashing algorithm
checks if User has migrated it's password (ie by checking some database field - or separated table)
hash given password with new algorithm
store new hash and update user table (with information that hash has been changed)
Which is rather complicated and should be needed only when migrating to "better" algorithm.
I'm trying to authenticate users in Mysql database generated by Symfony 2. In Security.yml I have this :
security:
encoders:
"FOS\UserBundle\Model\UserInterface": sha512
In User Table there is 2 fields : Salt and Password.
All passwords are like that :
YqkYUe0pV/TAw12aG2UcBax0hnJNeHez/S0uBGbnDDBxWD2Yeetqm4DfMn/8WKILIeRpM7ncTJ9coYOiNPGeOA==
I'm working on a webservice to authenticate users using PHP. I don't which functions do I have to use to compare plain password with the encrypted ones?
You have to get the password encoder factory from the container.
You can do so like this :
$factory = $container->get('security.encoder_factory'); //$container refers to your container, it can be also $this->container
$user = new Your\Bundle\Entity\User();
$encoder = $factory->getEncoder($user);
$encodedPassword = $encoder->encodePassword($nonEncodedPassword, $user->getSalt());
This should be enough. Of course you can set "by hand" the second encodePassword parameter as its the salt used to encode all paswords. It's usually defined in your user implementation class, that's why we give here an entity instancied object.
This is the class that handles the sha512 encryption in Symfony2
https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Core/Encoder/MessageDigestPasswordEncoder.php