/**
* Formats a password using the current encryption. If the user ID is given
* and the hash does not fit the current hashing algorithm, it automatically
* updates the hash.
*
* @param string $password The plaintext password to check.
* @param string $hash The hash to verify against.
* @param integer $user_id ID of the user if the password hash should be updated
*
* @return boolean True if the password and hash match, false otherwise
*
* @since 3.2.1
*/
public static function verifyPassword($password, $hash, $user_id = 0)
{
$rehash = false;
$match = false;
// If we are using phpass
if (strpos($hash, '$P$') === 0) {
// Use PHPass's portable hashes with a cost of 10.
$phpass = new PasswordHash(10, true);
$match = $phpass->CheckPassword($password, $hash);
$rehash = false;
} else {
// Check the password
$parts = explode(':', $hash);
$crypt = $parts[0];
$salt = @$parts[1];
$rehash = true;
$testcrypt = md5($password . $salt) . ($salt ? ':' . $salt : '');
$match = JCrypt::timingSafeCompare($hash, $testcrypt);
}
// If we have a match and rehash = true, rehash the password with the current algorithm.
if ((int) $user_id > 0 && $match && $rehash) {
$user = new JUser($user_id);
$user->password = self::hashPassword($password);
$user->save();
}
return $match;
}
/**
* Formats a password using the current encryption. If the user ID is given
* and the hash does not fit the current hashing algorithm, it automatically
* updates the hash.
*
* @param string $password The plaintext password to check.
* @param string $hash The hash to verify against.
* @param integer $user_id ID of the user if the password hash should be updated
*
* @return boolean True if the password and hash match, false otherwise
*
* @since 3.2.1
*/
public static function verifyPassword($password, $hash, $user_id = 0)
{
$rehash = false;
$match = false;
// If we are using phpass
if (strpos($hash, '$P$') === 0) {
// Use PHPass's portable hashes with a cost of 10.
$phpass = new PasswordHash(10, true);
$match = $phpass->CheckPassword($password, $hash);
$rehash = true;
} elseif ($hash[0] == '$') {
// JCrypt::hasStrongPasswordSupport() includes a fallback for us in the worst case
JCrypt::hasStrongPasswordSupport();
$match = password_verify($password, $hash);
// Uncomment this line if we actually move to bcrypt.
$rehash = password_needs_rehash($hash, PASSWORD_DEFAULT);
} elseif (substr($hash, 0, 8) == '{SHA256}') {
// Check the password
$parts = explode(':', $hash);
$crypt = $parts[0];
$salt = @$parts[1];
$testcrypt = static::getCryptedPassword($password, $salt, 'sha256', true);
$match = JCrypt::timingSafeCompare($hash, $testcrypt);
$rehash = true;
} else {
// Check the password
$parts = explode(':', $hash);
$crypt = $parts[0];
$salt = @$parts[1];
$rehash = true;
// Compile the hash to compare
// If the salt is empty AND there is a ':' in the original hash, we must append ':' at the end
$testcrypt = md5($password . $salt) . ($salt ? ':' . $salt : (strpos($hash, ':') !== false ? ':' : ''));
$match = JCrypt::timingSafeCompare($hash, $testcrypt);
}
// If we have a match and rehash = true, rehash the password with the current algorithm.
if ((int) $user_id > 0 && $match && $rehash) {
$user = new JUser($user_id);
$user->password = static::hashPassword($password);
$user->save();
}
return $match;
}
/**
* This method should handle any authentication and report back to the subject
*
* @param array $credentials Array holding the user credentials
* @param array $options Array of extra options
* @param object &$response Authentication response object
*
* @return boolean
*
* @since 3.2
*/
public function onUserAuthenticate($credentials, $options, &$response)
{
// No remember me for admin
if ($this->app->isAdmin()) {
return false;
}
JLoader::register('JAuthentication', JPATH_LIBRARIES . '/joomla/user/authentication.php');
$response->type = 'Cookie';
// We need to validate the cookie data because there may be no Remember Me plugin to do it.
// Create the cookie name and data.
$rememberArray = JUserHelper::getRememberCookieData();
if ($rememberArray == false) {
return false;
}
list($privateKey, $series, $uastring) = $rememberArray;
// Find the matching record if it exists.
$query = $this->db->getQuery(true)->select($this->db->quoteName(array('user_id', 'token', 'series', 'time', 'invalid')))->from($this->db->quoteName('#__user_keys'))->where($this->db->quoteName('series') . ' = ' . $this->db->quote(base64_encode($series)))->where($this->db->quoteName('uastring') . ' = ' . $this->db->quote($uastring))->order($this->db->quoteName('time') . ' DESC');
$results = $this->db->setQuery($query)->loadObjectList();
$countResults = count($results);
if ($countResults !== 1) {
$response->status = JAuthentication::STATUS_FAILURE;
return;
} else {
if (substr($results[0]->token, 0, 4) === '$2y$') {
if (JCrypt::hasStrongPasswordSupport()) {
$match = password_verify($privateKey, $results[0]->token);
}
} else {
if (JCrypt::timingSafeCompare($results[0]->token, $privateKey)) {
$match = true;
}
}
if (empty($match)) {
JUserHelper::invalidateCookie($results[0]->user_id, $uastring);
JLog::add(JText::sprintf('PLG_SYSTEM_REMEMBER_ERROR_LOG_LOGIN_FAILED', $user->username), JLog::WARNING, 'security');
$response->status = JAuthentication::STATUS_FAILURE;
return false;
}
}
// Set cookie params.
if (!empty($options['lifetime']) && !empty($options['length']) && !empty($options['secure'])) {
$response->lifetime = $options['lifetime'];
$response->length = $options['length'];
$response->secure = $options['secure'];
}
// Make sure there really is a user with this name and get the data for the session.
$query = $this->db->getQuery(true)->select($this->db->quoteName(array('id', 'username', 'password')))->from($this->db->quoteName('#__users'))->where($this->db->quoteName('username') . ' = ' . $this->db->quote($credentials['username']));
$result = $this->db->setQuery($query)->loadObject();
if ($result) {
// Bring this in line with the rest of the system
$user = JUser::getInstance($result->id);
$cookieName = JUserHelper::getShortHashedUserAgent();
// If there is no cookie, bail out
if (!$this->app->input->cookie->get($cookieName)) {
return;
}
// Set response data.
$response->username = $result->username;
$response->email = $user->email;
$response->fullname = $user->name;
$response->password = $result->password;
$response->language = $user->getParam('language');
// Set response status.
$response->status = JAuthentication::STATUS_SUCCESS;
$response->error_message = '';
} else {
$response->status = JAuthentication::STATUS_FAILURE;
$response->error_message = JText::_('JGLOBAL_AUTH_NO_USER');
}
}
/**
* Verifies a password hash
*
* @param string $password The password to verify.
* @param string $hash The password hash to check.
*
* @return boolean True if the password is valid, false otherwise.
*
* @since 12.2
* @deprecated 4.0 Use PHP 5.5's native password hashing API
*/
public function verify($password, $hash)
{
// Check if the hash is a blowfish hash.
if (substr($hash, 0, 4) == '$2a$' || substr($hash, 0, 4) == '$2y$') {
$type = '$2a$';
if (JCrypt::hasStrongPasswordSupport()) {
$type = '$2y$';
}
return password_verify($password, $hash);
}
// Check if the hash is an MD5 hash.
if (substr($hash, 0, 3) == '$1$') {
return JCrypt::timingSafeCompare(crypt($password, $hash), $hash);
}
// Check if the hash is a Joomla hash.
if (preg_match('#[a-z0-9]{32}:[A-Za-z0-9]{32}#', $hash) === 1) {
// Check the password
$parts = explode(':', $hash);
$salt = @$parts[1];
// Compile the hash to compare
// If the salt is empty AND there is a ':' in the original hash, we must append ':' at the end
$testcrypt = md5($password . $salt) . ($salt ? ':' . $salt : (strpos($hash, ':') !== false ? ':' : ''));
return JCrypt::timingSafeCompare($hash, $testcrypt);
}
return false;
}
/**
* Remember me method to run onAfterInitialise
*
* @return boolean
*
* @since 1.5
* @throws InvalidArgumentException
*/
public function onAfterInitialise()
{
// No remember me for admin
if ($this->app->isAdmin()) {
return false;
}
$user = JFactory::getUser();
$this->app->rememberCookieLifetime = $this->lifetime;
$this->app->rememberCookieSecure = $this->secure;
$this->app->rememberCookieLength = $this->length;
// Check for a cookie
if ($user->get('guest') == 1) {
// Create the cookie name and data
$rememberArray = JUserHelper::getRememberCookieData();
if ($rememberArray !== false) {
if (count($rememberArray) != 3) {
// Destroy the cookie in the browser.
$this->app->input->cookie->set(end($rememberArray), false, time() - 42000, $this->app->get('cookie_path'), $this->app->get('cookie_domain'));
JLog::add('Invalid cookie detected.', JLog::WARNING, 'error');
return false;
}
list($privateKey, $series, $uastring) = $rememberArray;
if (!JUserHelper::clearExpiredTokens($this)) {
JLog::add('Error in deleting expired cookie tokens.', JLog::WARNING, 'error');
}
// Find the matching record if it exists
$query = $this->db->getQuery(true)->select($this->db->quoteName(array('user_id', 'token', 'series', 'time', 'invalid')))->from($this->db->quoteName('#__user_keys'))->where($this->db->quoteName('series') . ' = ' . $this->db->quote(base64_encode($series)))->where($this->db->quoteName('uastring') . ' = ' . $this->db->quote($uastring))->order($this->db->quoteName('time') . ' DESC');
$results = $this->db->setQuery($query)->loadObjectList();
$countResults = count($results);
// We have a user but a cookie that is not in the database, or it is invalid. This is a possible attack, so invalidate everything.
if (($countResults === 0 || $results[0]->invalid != 0) && !empty($results[0]->user_id)) {
JUserHelper::invalidateCookie($results[0]->user_id, $uastring);
JLog::add(JText::sprintf('PLG_SYSTEM_REMEMBER_ERROR_LOG_INVALIDATED_COOKIES', $user->username), JLog::WARNING, 'security');
// Possibly e-mail user and admin here.
return false;
}
// We have a user with one cookie with a valid series and a corresponding record in the database.
if ($countResults === 1) {
if (!JCrypt::timingSafeCompare($results[0]->token, $privateKey)) {
JUserHelper::invalidateCookie($results[0]->user_id, $uastring);
JLog::add(JText::sprintf('PLG_SYSTEM_REMEMBER_ERROR_LOG_LOGIN_FAILED', $user->username), JLog::WARNING, 'security');
return false;
}
// Set up the credentials array to pass to onUserAuthenticate
$credentials = array('username' => $results[0]->user_id);
return $this->app->login($credentials, array('silent' => true, 'lifetime' => $this->lifetime, 'secure' => $this->secure, 'length' => $this->length));
}
}
}
return false;
}
