function passwords_validate_password_for_user($password, &$user, $more = array()) { $defaults = array('ensure_bcrypt' => 1); $more = array_merge($defaults, $more); $enc_password = $user['password']; $is_bcrypt = substr($enc_password, 0, 4) == '$2a$' ? 1 : 0; $validate_more = array('use_bcrypt' => $is_bcrypt); $is_ok = passwords_validate_password($password, $enc_password, $validate_more); if ($is_ok && !$is_bcrypt && $more['ensure_bcrypt'] && $GLOBALS['passwords_canhas_bcrypt']) { # note the pass-by-ref above if (users_update_password($user, $password)) { $user = users_get_by_id($user['id']); } } return $is_ok; }
function passwords_validate_password_for_user($password, &$user) { # # is this is *not* a bcrypt hash, but we allow promotion, # then verify & promote it. # $is_bcrypt = substr($user['password'], 0, 4) == '$2a$'; if ($GLOBALS['cfg']['passwords_use_bcrypt'] && $GLOBALS['cfg']['passwords_allow_promotion'] && !$is_bcrypt) { $test = hash_hmac("sha256", $password, $GLOBALS['cfg']['crypto_password_secret']); $is_ok = $test == $user['password']; if ($is_ok) { if (users_update_password($user, $password)) { $user = users_get_by_id($user['id']); } } return $is_ok; } # # simple case # return passwords_validate_password($password, $user['password']); }
function users_get_by_login($email, $password) { $user = users_get_by_email($email); if (!$user) { return null; } if ($user['deleted']) { return null; } if (!passwords_validate_password($password, $user['password'])) { return null; } return $user; }