/**
* verify if the input password is correct
*
* @param string $username the string username
* @param string $password the plaintext password
* @param string $hash the password hash from the database
* @param string &$rehash if password needs rehash, this variable is used
* @return boolean
*/
function verifyPassword($username, $password, $hash, &$rehash)
{
if (!Hashing::isSupported()) {
// modern hashing not supported
return $hash === Validation::encryptCredentials($username, $password, false, true);
} elseif (Hashing::needsRehash($hash)) {
// update to new hashing algorithm
$oldHash = Validation::encryptCredentials($username, $password, false, true);
if ($oldHash === $hash) {
// update hash
$rehash = Validation::encryptCredentials($username, $password);
return true;
}
}
return Hashing::isValid($password, $hash);
}
