From bd33c956a2286c15aad8bfce2b19b7e1587f6210 Mon Sep 17 00:00:00 2001 From: REJack Date: Sat, 14 May 2016 19:37:06 +0200 Subject: [PATCH] BCrypt/PHP's password_hash support - added config var `use_password_hash` - added config var `password_hash_algo` - added config var `password_hash_options` - added `verify_password()` - changed `login()` (changed pass check with new the function, added a little skip for pass recreation if password_hash is active) - changed `hash_password()` - added `sql/Aauth_v2_BCrypt.sql` with a working password if BCrypt is active --- application/config/aauth.php | 8 +- application/libraries/Aauth.php | 34 ++++-- sql/Aauth_v2_BCrypt.sql | 177 ++++++++++++++++++++++++++++++++ 3 files changed, 211 insertions(+), 8 deletions(-) create mode 100644 sql/Aauth_v2_BCrypt.sql diff --git a/application/config/aauth.php b/application/config/aauth.php index 7466c28..58668dd 100644 --- a/application/config/aauth.php +++ b/application/config/aauth.php @@ -68,6 +68,9 @@ defined('BASEPATH') OR exit('No direct script access allowed'); | | ['hash'] Name of selected hashing algorithm (e.g. "md5", "sha256", "haval160,4", etc..) | Please, run hash_algos() for know your all supported algorithms +| ['use_password_hash'] True to use PHP's own password_hash() function with BCrypt, needs PHP5.5 or higher +| ['password_hash_algo'] password_hash algorithm ("PASSWORD_DEFAULT", "PASSWORD_BCRYPT") +| ['password_hash_options'] password_hash options array for details see http://php.net/manual/en/function.password-hash.php | */ $config_aauth = array(); @@ -125,7 +128,10 @@ $config_aauth["default"] = array( 'verification_link' => '/account/verification/', 'reset_password_link' => '/account/reset_password/', - 'hash' => 'sha256' + 'hash' => 'sha256', + 'use_password_hash' => false, + 'password_hash_algo' => 'PASSWORD_DEFAULT', + 'password_hash_options' => array() ); $config['aauth'] = $config_aauth['default']; diff --git a/application/libraries/Aauth.php b/application/libraries/Aauth.php index e749ab6..733629b 100644 --- a/application/libraries/Aauth.php +++ b/application/libraries/Aauth.php @@ -281,9 +281,6 @@ class Aauth { $query = null; $query = $this->aauth_db->where($db_identifier, $identifier); - - // Database stores pasword hashed password - $query = $this->aauth_db->where('pass', $this->hash_password($pass, $user_id)); $query = $this->aauth_db->where('banned', 0); $query = $this->aauth_db->get($this->config_vars['users']); @@ -291,7 +288,9 @@ class Aauth { $row = $query->row(); // if email and pass matches and not banned - if ( $query->num_rows() != 0 ) { + $password = ($this->config_vars['use_password_hash'] ? $pass : $this->hash_password($pass, $row->id)); + + if ( $query->num_rows() != 0 && $this->verify_password($password, $row->pass) ) { // If email and pass matches // create session @@ -762,7 +761,9 @@ class Aauth { // Update to correct salted password $data = null; - $data['pass'] = $this->hash_password($pass, $user_id); + if( !$this->config_vars['use_password_hash']){ + $data['pass'] = $this->hash_password($pass, $user_id); + } $this->aauth_db->where('id', $user_id); $this->aauth_db->update($this->config_vars['users'], $data); @@ -1157,9 +1158,28 @@ class Aauth { * @return string Hashed password */ function hash_password($pass, $userid) { + if($this->config_vars['use_password_hash']){ + return password_hash($pass, $this->config_vars['password_hash_algo'], $this->config_vars['password_hash_options']); + }else{ + $salt = md5($userid); + return hash($this->config_vars['hash'], $salt.$pass); + } + } - $salt = md5($userid); - return hash($this->config_vars['hash'], $salt.$pass); + /** + * Verify password + * Verfies the hashed password + * @param string $password Password + * @param string $hash Hashed Password + * @param string $user_id + * @return bool False or True + */ + function verify_password($password, $hash) { + if($this->config_vars['use_password_hash']){ + return password_verify($password, $hash); + }else{ + return ($password == $hash ? TRUE : FALSE); + } } ######################## diff --git a/sql/Aauth_v2_BCrypt.sql b/sql/Aauth_v2_BCrypt.sql new file mode 100644 index 0000000..2cae89c --- /dev/null +++ b/sql/Aauth_v2_BCrypt.sql @@ -0,0 +1,177 @@ +/* + Aauth SQL Table Structure +*/ + +SET FOREIGN_KEY_CHECKS=0; + +-- ---------------------------- +-- Table structure for `aauth_groups` +-- ---------------------------- +DROP TABLE IF EXISTS `aauth_groups`; +CREATE TABLE `aauth_groups` ( + `id` int(11) unsigned NOT NULL AUTO_INCREMENT, + `name` varchar(100), + `definition` text, + PRIMARY KEY (`id`) +) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8; + +-- ---------------------------- +-- Records of aauth_groups +-- ---------------------------- +INSERT INTO `aauth_groups` VALUES ('1', 'Admin', 'Super Admin Group'); +INSERT INTO `aauth_groups` VALUES ('2', 'Public', 'Public Access Group'); +INSERT INTO `aauth_groups` VALUES ('3', 'Default', 'Default Access Group'); + +-- ---------------------------- +-- Table structure for `aauth_perms` +-- ---------------------------- +DROP TABLE IF EXISTS `aauth_perms`; +CREATE TABLE `aauth_perms` ( + `id` int(11) unsigned NOT NULL AUTO_INCREMENT, + `name` varchar(100), + `definition` text, + PRIMARY KEY (`id`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +-- ---------------------------- +-- Records of aauth_perms +-- ---------------------------- + +-- ---------------------------- +-- Table structure for `aauth_perm_to_group` +-- ---------------------------- +DROP TABLE IF EXISTS `aauth_perm_to_group`; +CREATE TABLE `aauth_perm_to_group` ( + `perm_id` int(11) unsigned DEFAULT NULL, + `group_id` int(11) unsigned DEFAULT NULL, + PRIMARY KEY (`perm_id`,`group_id`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +-- ---------------------------- +-- Records of aauth_perm_to_group +-- ---------------------------- + +-- ---------------------------- +-- Table structure for `aauth_perm_to_user` +-- ---------------------------- +DROP TABLE IF EXISTS `aauth_perm_to_user`; +CREATE TABLE `aauth_perm_to_user` ( + `perm_id` int(11) unsigned DEFAULT NULL, + `user_id` int(11) unsigned DEFAULT NULL, + PRIMARY KEY (`perm_id`,`user_id`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +-- ---------------------------- +-- Records of aauth_perm_to_user +-- ---------------------------- + +-- ---------------------------- +-- Table structure for `aauth_pms` +-- ---------------------------- +DROP TABLE IF EXISTS `aauth_pms`; +CREATE TABLE `aauth_pms` ( + `id` int(11) unsigned NOT NULL AUTO_INCREMENT, + `sender_id` int(11) unsigned NOT NULL, + `receiver_id` int(11) unsigned NOT NULL, + `title` varchar(255) NOT NULL, + `message` text, + `date_sent` datetime DEFAULT NULL, + `date_read` datetime DEFAULT NULL, + PRIMARY KEY (`id`), + KEY `full_index` (`id`,`sender_id`,`receiver_id`,`date_read`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +-- ---------------------------- +-- Records of aauth_pms +-- ---------------------------- + +-- ---------------------------- +-- Table structure for `aauth_system_variables` +-- ---------------------------- +DROP TABLE IF EXISTS `aauth_system_variables`; +CREATE TABLE `aauth_system_variables` ( + `id` int(11) unsigned NOT NULL AUTO_INCREMENT, + `data_key` varchar(100) NOT NULL, + `value` text, + PRIMARY KEY (`id`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +-- ---------------------------- +-- Records of aauth_system_variables +-- ---------------------------- + +-- ---------------------------- +-- Table structure for `aauth_users` +-- ---------------------------- +DROP TABLE IF EXISTS `aauth_users`; +CREATE TABLE `aauth_users` ( + `id` int(11) unsigned NOT NULL AUTO_INCREMENT, + `email` varchar(100) COLLATE utf8_general_ci NOT NULL, + `pass` varchar(60) COLLATE utf8_general_ci NOT NULL, + `name` varchar(100) COLLATE utf8_general_ci, + `banned` tinyint(1) DEFAULT '0', + `last_login` datetime DEFAULT NULL, + `last_activity` datetime DEFAULT NULL, + `last_login_attempt` datetime DEFAULT NULL, + `forgot_exp` text COLLATE utf8_general_ci, + `remember_time` datetime DEFAULT NULL, + `remember_exp` text COLLATE utf8_general_ci, + `verification_code` text COLLATE utf8_general_ci, + `totp_secret` varchar(16) COLLATE utf8_general_ci DEFAULT NULL, + `ip_address` text COLLATE utf8_general_ci, + `login_attempts` int(11) DEFAULT '0', + PRIMARY KEY (`id`) +) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8 COLLATE=utf8_general_ci; + +-- ---------------------------- +-- Records of aauth_users +-- ---------------------------- +INSERT INTO `aauth_users` VALUES ('1', 'admin@example.com', '$2y$10$h19Lblcr6amOIUL1TgYW2.VVZOhac/e1kHMgAwCubMTlYXZrL0wS2', 'Admin', '0', null, null, null, null, null, null, null, null, null, '0'); + +-- ---------------------------- +-- Table structure for `aauth_user_to_group` +-- ---------------------------- +DROP TABLE IF EXISTS `aauth_user_to_group`; +CREATE TABLE `aauth_user_to_group` ( + `user_id` int(11) unsigned NOT NULL DEFAULT '0', + `group_id` int(11) unsigned NOT NULL DEFAULT '0', + PRIMARY KEY (`user_id`,`group_id`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +-- ---------------------------- +-- Records of aauth_user_to_group +-- ---------------------------- +INSERT INTO `aauth_user_to_group` VALUES ('1', '1'); +INSERT INTO `aauth_user_to_group` VALUES ('1', '3'); + +-- ---------------------------- +-- Table structure for `aauth_user_variables` +-- ---------------------------- +DROP TABLE IF EXISTS `aauth_user_variables`; +CREATE TABLE `aauth_user_variables` ( + `id` int(11) unsigned NOT NULL AUTO_INCREMENT, + `user_id` int(11) unsigned NOT NULL, + `data_key` varchar(100) NOT NULL, + `value` text, + PRIMARY KEY (`id`), + KEY `user_id_index` (`user_id`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +-- ---------------------------- +-- Records of aauth_user_variables +-- ---------------------------- + +-- ---------------------------- +-- Table structure for `aauth_perm_to_group` +-- ---------------------------- +DROP TABLE IF EXISTS `aauth_group_to_group`; +CREATE TABLE `aauth_group_to_group` ( + `group_id` int(11) unsigned DEFAULT NULL, + `subgroup_id` int(11) unsigned DEFAULT NULL, + PRIMARY KEY (`group_id`,`subgroup_id`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +-- ---------------------------- +-- Records of aauth_perm_to_group +-- ---------------------------- +