public function testPassword() { $password = \SecureFuncs\SecureFuncs::randomString(32); $hash = \SecureFuncs\SecureFuncs::password_hash($password); $this->assertInternalType('string', $hash); $this->assertTrue(\SecureFuncs\SecureFuncs::password_verify($password, $hash)); }
/** * Login a existing user * @param $username * @param $password * @param $rememberme * @return bool */ public function login($username, $password, $rememberme = "off") { $this->checkLoggedIn(); if (Core::$loggedIn !== false) { $this->setMessage('error', ADVANCEDLOGINSCRIPT_USER_ALREADY_LOGGED_IN); return false; } $username = strtolower($username); $_SESSION['stored_login_fields']['username'] = $username; if ($failedLogins = $this->checkFailedLogins() >= 3) { $this->setMessage('error', ADVANCEDLOGINSCRIPT_USER_FAILED_ATTEMPTS); return false; } if (!filter_var($username, FILTER_VALIDATE_EMAIL) === false) { // the username that was entered is a valid email, check for a user in the database with this email $get_user = $this->newBuilder()->select('*, u.id as id, ug.id as usergroup_id, ug.name as usergroup')->from('users', 'u')->innerJoin('u', 'usergroups', 'ug', 'u.user_group = ug.id')->where('LOWER(email) = :email')->setParameter('email', $username)->execute(); } else { // the username that was entered is not a valid email, check for a user in the database with this username $get_user = $this->newBuilder()->select('*, u.id as id, ug.id as usergroup_id, ug.name as usergroup')->from('users', 'u')->innerJoin('u', 'usergroups', 'ug', 'u.user_group = ug.id')->where('LOWER(username) = :username')->setParameter('username', $username)->execute(); } $record = $get_user->fetch(); // fetch the results if (!$record) { // no results > no user was found $this->addLoginAttempt(NULL, 'not_found'); // add a failed login attempt $this->setMessage('error', ADVANCEDLOGINSCRIPT_INVALID_LOGIN); return false; } elseif ($record['banned'] === 1) { // user is banned, run the logout function to make sure the session is reset $this->setMessage('error', ADVANCEDLOGINSCRIPT_USER_BANNED); $this->logout(); return false; } elseif ($record['active'] == 0) { // user is inactive, warn that the user needs to activate his/her account $this->logout(); $this->setMessage('error', ADVANCEDLOGINSCRIPT_USER_INACTIVE); return false; } $rehash = false; if (md5($password) === $record['password']) { // first check if the password matches with the md5 hash, we do this first because its fast $rehash = true; } elseif (\SecureFuncs\SecureFuncs::password_verify($password, $record['password'])) { //next check for a bcrypt password match $rehash = password_needs_rehash($record['password'], PASSWORD_DEFAULT); } else { // no user found or password invalid, invalid login $this->addLoginAttempt($record['id'], 'invalid_password'); $this->setMessage('error', ADVANCEDLOGINSCRIPT_INVALID_LOGIN); return false; } // update some data $update_user = $this->newBuilder()->update('users')->set('last_login', 'now()')->where('id = :id')->setParameter(":id", $record['id']); if ($rehash) { // password needs to be rehashed $update_data['password'] = \SecureFuncs\SecureFuncs::password_hash($password, PASSWORD_DEFAULT); $update_user->set('password', ':password')->setParameter(":password", $update_data['password']); } $update_user->execute(); if ($rememberme == "on") { // set new authentication cookie $this->set_auth_cookie($record['id']); } // add a succesful login attempt to the database $this->addLoginAttempt($record['id'], 1); // unset password variable before adding the session variables unset($record['password']); unset($_SESSION['stored_login_fields']); $_SESSION['currentuser'] = $record; // refresh the session ID session_regenerate_id(); // display a message to notify the user $this->setMessage('success', ADVANCEDLOGINSCRIPT_USER_LOGGED_IN . $record['username']); if (ADVANCEDLOGINSCRIPT_ENABLE_JWT) { $this->refreshJWTtoken($record); } return true; }