/** * Extra test: password migration. * Manually insert an old-style password hash in the database, then * make sure that the password field in the database gets updated when * the migration function is invoked. * @depends testLegacyPassword */ public function testPasswordMigration() { global $testUserId1; $password = '******'; $oldPasswordHash = '$0$6cc7c5a5a21978e5587a59186cadb5e3'; $object = new User($testUserId1); $object->save(); // Update the database and check for match $query = "UPDATE blogUser " . "SET password='******' " . "WHERE userId='{$testUserId1}'"; mysql_query($query); $object->load($testUserId1); $rows = $this->countTestRows(); $this->assertTrue($object->checkPassword($password)); $object->updatePasswordHash($password); // make sure a new row has been inserted $this->assertEquals($rows + 1, $this->countTestRows()); // Check that the password has been re-encoded in the // in the database $updated = $object->getUpdated(); $query = "SELECT password " . "FROM blogUser " . "WHERE userId='{$testUserId1}' " . "AND updated='{$updated}'"; // print "$query\n"; $result = mysql_query($query); if ($result) { $this->assertTrue(mysql_num_rows($result) === 1); $line = mysql_fetch_array($result); $newPasswordHash = db_sql_decode($line[0]); $this->assertNotEquals($oldPasswordHash, $newPasswordHash); } else { $this->assertFalse(true, "Got error in mySQL query '{$query}'"); } // After the password has been re-encoded, make sure it still matches $this->assertTrue($object->checkPassword($password)); // Make sure repeated calls to updatePasswordHash succeed $object->updatePasswordHash($password); }
if (isset($data['password'])) { $password = $data['password']; } if ($userId === '' || $password === '') { $response = errorResponse(RESPONSE_BAD_REQUEST); } else { $user = new User($userId); if ($user->getCreated() === null) { $response = errorResponse(RESPONSE_NOT_FOUND); } else { if ($user->checkPassword($password)) { // password matches, need to allow for hash update (if hash // algorithm changed, the new hash can only be stored in the // database when we have the actual password, and only at login // time do we have the actual password) $user->updatePasswordHash($password); $authId = Auth::generateAuthId(); $auth = new Auth($authId); $auth->setUserId($userId); $auth->save(); $response = successResponse(); $response['authId'] = $authId; } else { $response = errorResponse(RESPONSE_UNAUTHORIZED); } } } } else { $response = errorResponse(RESPONSE_METHOD_NOT_ALLOWED, $_SERVER['REQUEST_METHOD']); } echo json_encode($response);