/**
* Call this when logging in an user. If password is correct, the last
* login date is updated. If the password storage method was outdated, the
* password is rehashed.
*
* @param User $user The user.
* @param string $password_unhashed The password entered by the user.
*/
protected function loginCheck(User $user, $password_unhashed)
{
if ($this->userRepo == null) {
// Unable to log in when userRepo is not present
return false;
}
$password_hashed = $user->getPasswordHashed();
$loggedIn = false;
if (strLen($password_hashed) == 32 && $password_hashed[0] != '$') {
// Still md5(sha1($pass)), update
if (md5(sha1($password_unhashed)) == $password_hashed) {
// Gets saved later on, when updating the last login
$user->setPassword($password_unhashed);
$loggedIn = true;
}
}
// Try to use modern password verification
if (!$loggedIn) {
$loggedIn = crypt($password_unhashed, $password_hashed) === $password_hashed;
}
if ($loggedIn) {
$status = $user->getStatus();
// Check whether the account is deleted
if ($status == Authentication::STATUS_DELETED) {
// Act like the account doesn't exist
return false;
}
// Check whether the account is banned
if ($status == Authentication::STATUS_BANNED) {
$text = $this->website->getText();
$text->addError($text->tReplaced("users.status.banned.your_account", $user->getStatusText()));
return false;
}
// Check password strength
if ($user->isWeakPassword($password_unhashed)) {
$text = $this->website->getText();
$text->addError($text->t("users.your_password_is_insecure"), Link::of($text->getUrlPage("edit_password"), $text->t("users.password.edit")));
}
// Update last login date (and possibly password hash, see above) if successfull
$user->setLastLogin(new DateTime());
$this->userRepo->save($user);
}
return $loggedIn;
}
