Using this function is the proper way to hash a password. Using naïve
methods such as sha1 or md5, as is done in many web applications, is
improper due to the lack of a cryptographically strong salt.
Using lithium\security\Password::hash() ensures that:
- Two identical passwords will never use the same salt, thus never
resulting in the same hash; this prevents a potential attacker from
compromising user accounts by using a database of most commonly used
passwords.
- The salt generator's count iterator can be increased within Lithium
or your application as computer hardware becomes faster; this results
in slower hash generation, without invalidating existing passwords.
Usage:
Hash a password before storing it:
$hashed = Password::hash($password);
Check a password by comparing it to its hashed value:
$check = Password::check($password, $hashed);
Use a stronger custom salt:
$salt = Password::salt('bf', 16); // 2^16 iterations
$hashed = Password::hash($password, $salt); // Very slow
$check = Password::check($password, $hashed); // Very slow
Forward/backward compatibility
$salt1 = Password::salt('bf', 6);
$salt2 = Password::salt('bf', 12);
$hashed1 = Password::hash($password, $salt1); // Fast
$hashed2 = Password::hash($password, $salt2); // Slow
$check1 = Password::check($password, $hashed1); // True
$check2 = Password::check($password, $hashed2); // True
| public static hash ( string $password, string $salt = null ) : string | ||
| $password | string | The password to hash. |
| $salt | string | Optional. The salt string. |
| return | string | The hashed password. The result's length will be: - 60 chars long for Blowfish hashes - 20 chars long for XDES hashes - 34 chars long for MD5 hashes |
public function generatePassword($entity)
{
$newPassword = substr(md5(rand() . rand()), 0, 8);
$entity->prv_secret = Password::hash($newPassword);
Logger::debug("New Password for " . $entity->prv_uid . ": {$newPassword} (hash: {$entity->prv_secret})");
return $newPassword;
}
public static function validatorTest(array $options = array()) {
return new Record(array('data' => array(
'username' => 'Bob',
'password' => Password::hash('s3cure'),
'group' => 'editors'
)));
}
public static function find($type = 'all', array $options = array())
{
$result = array();
$users = array(array('id' => 1, 'username' => 'user1', 'email' => '*****@*****.**', 'password' => Password::hash('user1')), array('id' => 2, 'username' => 'user2', 'email' => '*****@*****.**', 'password' => Password::hash('user2')), array('id' => 3, 'username' => 'user3', 'email' => '*****@*****.**', 'password' => Password::hash('user3')));
switch ($type) {
case 'first':
if ($options['conditions']) {
$conditions = '';
foreach ($options['conditions'] as $key => $condition) {
!$conditions || ($conditions .= ' && ');
$comparation = '==';
if (is_array($condition)) {
$keys = array_keys($condition);
$comparation = $keys[0];
$condition = $condition[$keys[0]];
}
$conditions .= "\$user['{$key}'] {$comparation} '{$condition}'";
}
$eval = "return ({$conditions});";
foreach ($users as $user) {
if (eval($eval)) {
$result[] = $user;
}
}
if ($result) {
return new Record(array('data' => $result[0], 'model' => __CLASS__));
}
return null;
}
return new Record(array('data' => $users[0], 'model' => __CLASS__));
case 'all':
default:
return new Record(array('data' => $users, 'model' => __CLASS__));
}
}
/**
* testPasswordMaxLength method
*/
public function testPasswordMaxLength()
{
foreach (array('bf' => 72) as $method => $length) {
$salt = Password::salt($method);
$pass = str_repeat('a', $length);
$this->assertIdentical(Password::hash($pass, $salt), Password::hash($pass . 'a', $salt));
}
}
/**
* Tests that a random sequence of keys and tokens properly match one another.
*/
public function testKeyMatching()
{
for ($i = 0; $i < 4; $i++) {
$token = RequestToken::get(array('regenerate' => true));
for ($j = 0; $j < 4; $j++) {
$key = Password::hash($token);
$this->assertTrue(RequestToken::check($key));
}
}
}
public function testConfirm()
{
$validate = Validator::check(array('password' => 'user5', 'confirm_password' => 'user5'), array('confirm_password' => array('confirm', 'message' => 'Please confirm your password!')));
$this->assertTrue(empty($validate));
$validate = Validator::check(array('password' => 'user5', 'confirm_password' => 'user4'), array('confirm_password' => array('confirm', 'message' => 'Please confirm your password!')));
$this->assertTrue(!empty($validate));
$validate = Validator::check(array('password' => Password::hash('user5'), 'confirm_password' => 'user5'), array('confirm_password' => array('confirm', 'message' => 'Please confirm your password!', 'strategy' => 'password')));
$this->assertTrue(empty($validate));
$validate = Validator::check(array('password' => Password::hash('user5'), 'confirm_password' => 'user4'), array('confirm_password' => array('confirm', 'message' => 'Please confirm your password!', 'strategy' => 'password')));
$this->assertTrue(!empty($validate));
$validate = Validator::check(array('original_password' => 'user5', 'confirm_password' => 'user5'), array('confirm_password' => array('confirm', 'message' => 'Please confirm your password!', 'against' => 'original_password')));
$this->assertTrue(empty($validate));
$validate = Validator::check(array('original_password' => 'user5', 'confirm_password' => 'user4'), array('confirm_password' => array('confirm', 'message' => 'Please confirm your password!', 'against' => 'original_password')));
$this->assertTrue(!empty($validate));
}
/**
* Apply proper password hashing (on create or change password)
* On create:
* - apply defined default user group (LI3_UM_DefaultUserGroup)
* - apply defined active status (LI3_UM_RequireUserActivation)
* 0 - require user to activate account trough generated link with token
* 1 - don't require further actions, account is already activated
*/
public static function __init()
{
static::applyFilter('save', function ($self, $params, $chain) {
if ($params['data']) {
$params['entity']->set($params['data']);
$params['data'] = array();
}
if (!$params['entity']->exists()) {
if ($params['entity']->password) {
$params['entity']->password = Password::hash($params['entity']->password);
}
$params['entity']->active = 1;
if (LI3_UM_RequireUserActivation && $self::$request) {
$params['entity']->active = 0;
}
$params['entity']->user_group_id = LI3_UM_DefaultUserGroup;
} else {
if ($params['entity']->password && $params['entity']->modified('password')) {
$params['entity']->password = Password::hash($params['entity']->password);
}
}
return $chain->next($self, $params, $chain);
});
static::applyFilter('save', function ($self, $params, $chain) {
if (($save = $chain->next($self, $params, $chain)) && $params['options']['events'] === 'create') {
$user = $params['entity'];
AboutUsers::create(array('user_id' => $user->id))->save();
if (LI3_UM_RequireUserActivation && $self::$request) {
$token = Token::generate($user->email);
UserActivations::create(array('user_id' => $user->id, 'token' => $token))->save();
$link = Router::match(array('li3_usermanager.Users::activate', 'id' => $user->id, 'token' => $token), $self::$request, array('absolute' => true));
Mailer::$_data['subject'] = 'Your activation link!';
Mailer::$_data['from'] = LI3_UM_ActivationEmailFrom;
Mailer::$_data['to'] = $user->email;
Mailer::$_data['body'] = 'This is your activation link:' . "\n" . $link;
}
}
return $save;
});
}
/**
* Tests salting passwords with the MD5 algorithm.
*/
public function testSaltMD5()
{
$this->skipIf(!CRYPT_MD5, 'MD5 is not supported.');
$saltPattern = "{^\\\$1\\\$[0-9A-Za-z./]{8}\$}";
$hashPattern = "{^\\\$1\\\$[0-9A-Za-z./]{8}\\\$[0-9A-Za-z./]{22}\$}";
$salt = Password::salt('md5', null);
$this->assertPattern($saltPattern, $salt);
$this->assertNotEqual($salt, Password::salt('md5', null));
$hash = Password::hash($this->_password, $salt);
$hash2 = Password::hash($this->_password, Password::salt('md5', null));
$this->assertPattern($hashPattern, $hash);
$this->assertNotEqual($hash, $hash2);
}
/**
* Generates a single-use key to be embedded in a form or used with another non-idempotent
* request (a request that changes the state of the server or application), that will match
* against a client session token using the `check()` method.
*
* @see lithium\security\validation\RequestToken::check()
* @param array $options An array of options to be passed to `RequestToken::get()`.
* @return string Returns a hashed key string for use with `RequestToken::check()`.
*/
public static function key(array $options = array())
{
return Password::hash(static::get($options));
}
<?php
use app\models\Users;
use lithium\security\Password;
Users::applyFilter('save', function ($self, $params, $chain) {
if ($params['data']) {
$params['entity']->set($params['data']);
$params['data'] = array();
}
if (!$params['entity']->exists()) {
$params['entity']->password = Password::hash($params['entity']->password);
}
return $chain->next($self, $params, $chain);
});
public static function __init()
{
/*
* Some special validation rules
*/
Validator::add('uniqueEmail', function ($value) {
$current_user = Auth::check('li3b_user');
if (!empty($current_user)) {
$user = User::find('first', array('fields' => array('_id'), 'conditions' => array('email' => $value, '_id' => array('$ne' => new MongoId($current_user['_id'])))));
} else {
$user = User::find('first', array('fields' => array('_id'), 'conditions' => array('email' => $value)));
}
if (!empty($user)) {
return false;
}
return true;
});
Validator::add('notEmptyHash', function ($value) {
if ($value == Password::hash('')) {
return false;
}
return true;
});
Validator::add('moreThanFive', function ($value) {
if (strlen($value) < 5) {
return false;
}
return true;
});
Validator::add('notTooLarge', function ($value) {
if ($value == 'TOO_LARGE.jpg') {
return false;
}
return true;
});
Validator::add('invalidFileType', function ($value) {
if ($value == 'INVALID_FILE_TYPE.jpg') {
return false;
}
return true;
});
parent::__init();
/*
* If told to ues a specific connection, do so.
* Otherwise, use the default li3b_users connection.
* Note: This model requires MongoDB.
* Also note: This must be called AFTER parent::__init()
*
* This is useful if the main application also uses MongoDB
* and wishes everything to use the same database...Be it
* local or on something like MongoLab or wherever.
*
* In fact, when gluing together libraries, one may choose
* all libraries that use the same database and kinda go
* with each other. That way it'll end up looking like a single
* cohesive application from the database's point of view.
* Of course the it's difficult to avoid conflicts in the MongoDB
* collection names. In this case, this model is prefixing the
* library name to the collection in order to ensure there are
* no conflicts.
*/
$libConfig = Libraries::get('li3b_users');
$connection = isset($libConfig['useConnection']) ? $libConfig['useConnection'] : 'li3b_users';
static::meta('connection', $connection);
}
/**
* Allows a user to update their own profile.
*
*/
public function update()
{
if (!$this->request->user) {
FlashMessage::write('You must be logged in to do that.', 'default');
return $this->redirect('/');
}
// Special rules for user creation (includes unique e-mail)
$rules = array('email' => array(array('notEmpty', 'message' => 'E-mail cannot be empty.'), array('email', 'message' => 'E-mail is not valid.'), array('uniqueEmail', 'message' => 'Sorry, this e-mail address is already registered.')));
// Get the document from the db to edit
$conditions = array('_id' => $this->request->user['_id']);
$document = User::find('first', array('conditions' => $conditions));
$existingProfilePic = !empty($document->profilePicture) ? $document->profilePicture : false;
// Redirect if invalid user...This should not be possible.
if (empty($document)) {
FlashMessage::write('You must be logged in to do that.', 'default');
return $this->redirect('/');
}
// If data was passed, set some more data and save
if ($this->request->data) {
// CSRF
if (!RequestToken::check($this->request)) {
RequestToken::get(array('regenerate' => true));
} else {
$now = new MongoDate();
$this->request->data['modified'] = $now;
// Add validation rules for the password IF the password and password_confirm field were passed
if (isset($this->request->data['password']) && isset($this->request->data['passwordConfirm']) && (!empty($this->request->data['password']) && !empty($this->request->data['passwordConfirm']))) {
$rules['password'] = array(array('notEmpty', 'message' => 'Password cannot be empty.'), array('notEmptyHash', 'message' => 'Password cannot be empty.'), array('moreThanFive', 'message' => 'Password must be at least 6 characters long.'));
// ...and of course hash the password
$this->request->data['password'] = Password::hash($this->request->data['password']);
} else {
// Otherwise, set the password to the current password.
$this->request->data['password'] = $document->password;
}
// Ensure the unique e-mail validation rule doesn't get in the way when editing users
// So if the user being edited has the same e-mail address as the POST data...
// Change the e-mail validation rules
if (isset($this->request->data['email']) && $this->request->data['email'] == $document->email) {
$rules['email'] = array(array('notEmpty', 'message' => 'E-mail cannot be empty.'), array('email', 'message' => 'E-mail is not valid.'));
}
// Set the pretty URL that gets used by a lot of front-end actions.
// Pass the document _id so that it doesn't change the pretty URL on an update.
$this->request->data['url'] = $this->_generateUrl($document->_id);
// Do not let roles or user active status to be adjusted via this method.
if (isset($this->request->data['role'])) {
unset($this->request->data['role']);
}
if (isset($this->request->data['active'])) {
unset($this->request->data['active']);
}
// Profile Picture
if (isset($this->request->data['profilePicture']['error']) && $this->request->data['profilePicture']['error'] == UPLOAD_ERR_OK) {
$rules['profilePicture'] = array(array('notTooLarge', 'message' => 'Profile picture cannot be larger than 250px in either dimension.'), array('invalidFileType', 'message' => 'Profile picture must be a jpg, png, or gif image.'));
list($width, $height) = getimagesize($this->request->data['profilePicture']['tmp_name']);
// Check file dimensions first.
// TODO: Maybe make this configurable.
if ($width > 250 || $height > 250) {
$this->request->data['profilePicture'] = 'TOO_LARGE.jpg';
} else {
// Save file to gridFS
$ext = substr(strrchr($this->request->data['profilePicture']['name'], '.'), 1);
switch (strtolower($ext)) {
case 'jpg':
case 'jpeg':
case 'png':
case 'gif':
case 'png':
$gridFile = Asset::create(array('file' => $this->request->data['profilePicture']['tmp_name'], 'filename' => (string) uniqid(php_uname('n') . '.') . '.' . $ext, 'fileExt' => $ext));
$gridFile->save();
break;
default:
$this->request->data['profilePicture'] = 'INVALID_FILE_TYPE.jpg';
//exit();
break;
}
// If file saved, set the field to associate it (and remove the old one - gotta keep it clean).
if (isset($gridFile) && $gridFile->_id) {
if ($existingProfilePic && substr($existingProfilePic, 0, 4) != 'http') {
$existingProfilePicId = substr($existingProfilePic, 0, -strlen(strrchr($existingProfilePic, '.')));
// Once last check...This REALLY can't be empty, otherwise it would remove ALL assets!
if (!empty($existingProfilePicId)) {
Asset::remove(array('_id' => $existingProfilePicId));
}
}
// TODO: Maybe allow saving to disk or S3 or CloudFiles or something. Maybe.
$this->request->data['profilePicture'] = (string) $gridFile->_id . '.' . $ext;
} else {
if ($this->request->data['profilePicture'] != 'INVALID_FILE_TYPE.jpg') {
$this->request->data['profilePicture'] = null;
}
}
}
} else {
$this->request->data['profilePicture'] = null;
}
// Save
if ($document->save($this->request->data, array('validate' => $rules))) {
FlashMessage::write('You have successfully updated your user settings.', 'default');
$this->redirect(array('library' => 'li3b_users', 'controller' => 'users', 'action' => 'update'));
} else {
$this->request->data['password'] = '';
FlashMessage::write('There was an error trying to update your user settings, please try again.', 'default');
}
}
}
$this->set(compact('document'));
}
