I am using Blowfish to hash a password before save in my model like so:
...
$passHash = new BlowfishPasswordHasher();
$this->data[$this->alias]['password'] = $passHash->hash($this->data[$this->alias]['password']);
...
I am using a MySQL backend and obviously I can't just assign a password in the password field for that user because it will never authenticate with the Auth Components authentication because it is using the Blowfish hasher.
So, how could I assign a user a custom password for them to use?
Why not just have an edit method in the users model with a corresponding view baked up? You can edit the users password there and It'll take care of password hashing if you send a password to the database that way.
With advice from a co-worker, I ended up creating a shell script to manage users.
In Console/Command I created UserShell.php which has an updatePassword function which takes a username and a password as arguments. In the function I set the user using the username, and then use the following to save a custom password that is hashed by the models beforeFilter
set the user...
$this->User->saveField('password', $password);
This was a quick solution for my problem.
Related
In my project, the password is hashed and saved in the database, but how can I get the origin password if I forgot the password?
You can't, that's the whole point of using a hash.
If someone forgot their password, then they should set a new one, ie you should implement some form of password reset functionality accordingly.
You can't have it ! If user forgot his password, you can send him a link to create a new one (with questions to check his identity).
Currently I am working on rebuilding an existing website, the old site was written in CakePHP but the new one is in Laravel.
The old users will have to be able to login with the same password as they used on the old site, but those passwords were hashed in CakePHP.
My question is:
Is there a method which would enable me use the CakePHP way of
passwordhashing in Laravel?
I have tried looking for a package that could accomplish this, but to no avail.
I had a similar issue with a migration from a Drupal site. So it should be applicable here, I'll use CakePHP from now on instead of Drupal. I don't know if you are using a package like Sentry to handle the User accounts, or if it is something homegrown.
What I ended up doing was adding a second password field (cakephp_password) to my users table which contained the imported hashed passwords.
Then during the login process, I checked if the cakephp_password field was empty or not. If it was I passed the password typed by the user through the CakePHP hash function which I added to my Class that handled the logins. I then compared the hash from the CakePHP function with the hash in cakephp_password. If the hashes matched I passed the users password through the hashing function of my laravel User management class (Sentry in my case) and added the calculated hash to the password field of the user and deleted the hash in the cakephp_password field.
Now I could just call the login process normally as for any user.
I am looking to build a "reset password" function in my CakePHP app, and reading around the net I have decided to: Have the user type in their email address, send them an email with a link to http://www.mysite.com/users/reset_password/generated_uuid_that_expires_in_24_hours. This will present a form that allows them to change their password. Obviously the hiccup is that I don't know how to log the user in with a temporary password. Am I approaching this correctly? I am thinking that the url I send them would be a hashed version of their email plus a uuid to use as a temp password, and that I would perform a user id lookup based on the email that comes in the url....but still, I wouldn't know how to manually log them in so they can change their password.
I use the session approach.
after using the token from the email the user gets a
Tmp.User.id (as opposed to Auth.User.id)
in the session which will allow him to change the password.
afterwards it will be removed from the session again.
I am interested in testing the incoming password field for a particular admin level password. If it matches, I want it to manually have Auth log in with whatever username they want (submitted via form)
My understanding is Auth, in taking the data, will only authorize it if it sees the same email/hashed password in the database. Is there a way to get around this check to manually set it? Even $this->Auth->login(..) will do this check right?
$this->Auth->login($userId)
Auth::login accepts either a username/password combination or simply a user id (the primary key of the user model in the database).
see my answer here: Using username instead of email in CakePHP's Auth Component
It's not the same question, but the idea is, when the login fails, you can intercept it and do what you want.
On my password reset page, I save the user's new password using Security::hash(). When I then try to log in though, my database saved hashed password does not match the version that Auth comes up with when hashing my input in the login field.
I assume this is something like Security::hash() using my application salt to hash the password, whereas Auth doesn't use that salt?
How do you go about this?
Have you tried the AuthComponent::password() method instead?
Also, if the field is named password, check that AuthComponent hasn't already hashed it.
Edit: In 3.x, see DefaultPasswordHasher::hash() instead, as explained in Hashing Passwords.
should be Security::hash($password, 'sha1', true)
you can leave the second parameter NULL because Auth use the same hash as specified in Security.