/** * Validate a user-provided password with user * * @param HiddenString $password * @param HiddenString $pHash * @param array $migrationData * @param EncryptionKey $passwordKey * @return bool * @throws \Exception */ public function validate(HiddenString $password, HiddenString $pHash, array $migrationData, EncryptionKey $passwordKey = null) : bool { if (!$passwordKey) { if (!$this->key instanceof EncryptionKey) { throw new \Exception(\__('No key was passed to this migration')); } $passwordKey = $this->key; } $hash = $this->wordPressCryptPrivate($password, $migrationData['salt']); return Password::verify($hash, $pHash->getString(), $passwordKey); }
public function login() { if (Session::get('loggin') == true) { url::redirect('admin'); } if (isset($_POST['submit'])) { $username = $_POST['username']; $password = $_POST['password']; $admin = $this->loadModel('admin_model'); if (Password::verify($password, $admin->get_hash($username)) == false) { die('wrong username or password'); } else { Session::set('loggin', true); Url::redirect('admin'); } } $data['title'] = 'Login'; $this->view->rendertemplate('header', $data); $this->view->render('admin/login', $data); $this->view->rendertemplate('footer', $data); }
public function login() { if (Session::get('loggedin')) { Url::redirect('admin'); } $model = new \models\admin\auth(); $data['title'] = 'Login'; if (isset($_POST['submit'])) { $username = $_POST['username']; $password = $_POST['password']; if (Password::verify($password, $model->getHash($_POST['username'])) == 0) { $error[] = 'Wrong username of password'; } else { Session::set('loggedin', true); Url::redirect('admin'); } } View::renderadmintemplate('loginheader', $data); View::render('admin/login', $data, $error); View::renderadmintemplate('footer', $data); }
/** * @param HiddenString $password * @return bool */ public function tryUnlockPassword(HiddenString $password) : bool { $state = State::instance(); return Password::verify($password->getString(), $this->installHash, $state->keyring['auth.password_key']); }
public function login($username, $password) { if ($this->logged_in) { return true; } //Make sure username and password are provided if (!isset($username) || !isset($password)) { return false; } $username = $this->escape(trim($username)); $password = $this->escape(trim($password)); $result = $this->query("SELECT pass, last_attempt, attempts FROM users WHERE username = '******'", array($username)); if (count($result) === 0) { return false; } $password = new Password($password); //Rate limit password guesses per minute //Once the user has guessed 5 times, they have to wait a minute before trying again $attempt_time = time(); $attempts = (int) $result[0]->attempts; //Reset attempt counter if user hasn't attempted in last minute if ($attempt_time > $result[0]->last_attempt + self::TIME_RANGE) { $attempts = 0; } $attempts++; //User has exceeded max number of attempts in last minute if ($attempts > self::MAX_ATTEMPTS) { return false; } //Update user with attempt count and current time $this->query("UPDATE users SET last_attempt = '%d', attempts = '%d' WHERE username = '******'", array($attempt_time, $attempts, $username)); if (!$password->verify($result[0]->pass)) { return false; } $_SESSION["username"] = $username; $_SESSION["login_time"] = $attempt_time; $this->logged_in = true; return true; }
function resetPasswordAction($db, $reset_key, $email_address, $password_token, $password, $user_password_repeat) { $response = $db->query('SELECT secret, request_timestamp FROM responses WHERE reset_key = :reset_key AND email_address = :email_address AND NOT used AND active', array(':reset_key' => $reset_key, ':email_address' => $email_address)); $validatedPassword = self::validateUserPassword($password, $user_password_repeat); if (!$validatedPassword) { return "INVALID PASSWORD"; } if ($response) { $created = DateTime::createFromFormat('Y-m-d G:i:s', $response[0]->request_timestamp); if ($created >= new DateTime('30 minutes ago')) { if (Password::verify($password_token, $response[0]->secret) && $password == $user_password_repeat) { $disable_token = $db->update("responses", array('used' => 1), array('reset_key' => $reset_key), array()); $hash = Password::make($password, PASSWORD_BCRYPT, array("cost" => 10)); $password_change = $db->exec('UPDATE Users SET password = :password WHERE email = :email', array(':password' => $hash, ':email' => $email_address)); return "Password Successfully Changed"; } } } else { return "INVALID RESET TOKEN"; } }
/** * Verifies that the password is valid for a given user account. Returns * false whether or not the user name is valid and attempts to minimize * leaking that information through timing side-channels. * * @param string $username * @param HiddenString $password * @return bool|int */ public function login(string $username, HiddenString $password) { /** * To prevent extreme stupidity, we escape our table and column names * here. We shouldn't ever *need* to do this, but as long as developers * are creative, they will find creative ways to make their apps * insecure and we should anticipate them as much as we can. */ $table = $this->db->escapeIdentifier($this->tableConfig['table']['accounts']); // Let's fetch the user data from the database $user = $this->db->row('SELECT * FROM ' . $table . ' WHERE username = ?', $username); if (empty($user)) { /** * User not found. Use the dummy password to mitigate user * enumeration via timing side-channels. */ Password::verify($password->getString(), $this->dummyHash, $this->key); // No matter what, return false here: return false; } else { if (!empty($user['migration'])) { $success = $this->migrateImportedHash($password, new HiddenString($user['password']), $user); if ($success) { return (int) $user['userid']; } } if (Password::verify($password->getString(), $user['password'], $this->key)) { return (int) $user['userid']; } } return false; }
// $app = \Slim\Slim::getInstance(); // $token = $app->request->headers->get('Authorization'); // $token = str_replace('"', "", $token); // $tokenFromDB = Users_model::get_user_by_token($db, $token); // if (!$tokenFromDB) { // echoResponse(403, "Invalid Token"); // exit(); // } // } // Users $app->post('/login', function () use($app) { global $db; $data = json_decode($app->request->getBody()); $user = Users_model::get_hash($db, $data->email); $hash = Password::make($data->password, PASSWORD_BCRYPT, array("cost" => 10)); if (Password::verify($data->password, $user[0]->password) == true) { echoResponse(200, $user[0]); } else { echoResponse(403, "Not a valid password"); } }); // 'authenticateToken', $app->get('/users', 'authenticateToken', function () use($app) { global $db; $rows = Users_model::get_users($db); // foreach (getallheaders() as $name => $value) { // var_dump(getallheaders()); // } echoResponse(200, $rows); }); $app->post('/users', function () use($app) {