chg: [security] Use const hasher also for login

2021-08-24 18:16:32 +02:00 · 2021-08-24 18:16:32 +02:00 · 98b87d8987
parent 0fc4698b60
commit 98b87d8987
5 changed files with 19 additions and 16 deletions
--- a/app/Controller/AppController.php
+++ b/app/Controller/AppController.php
@ -3,6 +3,7 @@ App::uses('ConnectionManager', 'Model');
 App::uses('Controller', 'Controller');
 App::uses('File', 'Utility');
 App::uses('RequestRearrangeTool', 'Tools');
+App::uses('BlowfishConstantPasswordHasher', 'Controller/Component/Auth');

 /**
 * Application Controller
@ -23,6 +24,10 @@ App::uses('RequestRearrangeTool', 'Tools');
 */
 class AppController extends Controller
 {
+    /**
+     * @var string
+     * @deprecated Use modelClass instead
+     */
    public $defaultModel = '';

    public $helpers = array('OrgImg', 'FontAwesome', 'UserName', 'DataPathCollector');
@ -56,14 +61,10 @@ class AppController extends Controller
    /** @var User */
    public $User;

-    public function __construct($id = false, $table = null, $ds = null)
+    public function __construct($request = null, $response = null)
    {
-        parent::__construct($id, $table, $ds);
-
-        $name = get_class($this);
-        $name = str_replace('sController', '', $name);
-        $name = str_replace('Controller', '', $name);
-        $this->defaultModel = $name;
+        parent::__construct($request, $response);
+        $this->defaultModel = $this->modelClass;
    }

    public $components = array(
@ -72,7 +73,7 @@ class AppController extends Controller
                'authError' => 'Unauthorised access.',
                'authenticate' => array(
                    'Form' => array(
-                        'passwordHasher' => 'Blowfish',
+                        'passwordHasher' => 'BlowfishConstant',
                        'fields' => array(
                            'username' => 'email'
                        )
--- a/app/Controller/Component/Auth/BlowfishConstantPasswordHasher.php
+++ b/app/Controller/Component/Auth/BlowfishConstantPasswordHasher.php
@ -1,12 +1,15 @@
 <?php
-class BlowfishPasswordHasherConstant extends BlowfishPasswordHasher
+App::uses('BlowfishPasswordHasher', 'Controller/Component/Auth');
+
+class BlowfishConstantPasswordHasher extends BlowfishPasswordHasher
 {
    /**
     * @param string $password
     * @param string $hashedPassword
     * @return bool
     */
-    public function check($password, $hashedPassword) {
+    public function check($password, $hashedPassword)
+    {
        return hash_equals($hashedPassword, Security::hash($password, 'blowfish', $hashedPassword));
    }
 }
--- a/app/Model/AppModel.php
+++ b/app/Model/AppModel.php
@ -22,7 +22,6 @@

 App::uses('Model', 'Model');
 App::uses('LogableBehavior', 'Assets.models/behaviors');
-App::uses('BlowfishPasswordHasher', 'Controller/Component/Auth');
 App::uses('RandomTool', 'Tools');

 class AppModel extends Model
--- a/app/Model/AuthKey.php
+++ b/app/Model/AuthKey.php
@ -2,7 +2,7 @@
 App::uses('AppModel', 'Model');
 App::uses('RandomTool', 'Tools');
 App::uses('CidrTool', 'Tools');
-App::uses('BlowfishPasswordHasherConstant', 'Tools');
+App::uses('BlowfishConstantPasswordHasher', 'Controller/Component/Auth');

 /**
 * @property User $User
@ -332,6 +332,6 @@ class AuthKey extends AppModel
     */
    private function getHasher()
    {
-        return new BlowfishPasswordHasherConstant();
+        return new BlowfishConstantPasswordHasher();
    }
 }
--- a/app/Model/User.php
+++ b/app/Model/User.php
@ -4,7 +4,7 @@ App::uses('AuthComponent', 'Controller/Component');
 App::uses('RandomTool', 'Tools');
 App::uses('GpgTool', 'Tools');
 App::uses('SendEmail', 'Tools');
-App::uses('BlowfishPasswordHasherConstant', 'Tools');
+App::uses('BlowfishConstantPasswordHasher', 'Controller/Component/Auth');

 /**
 * @property Log $Log
@ -272,7 +272,7 @@ class User extends AppModel
    {
        $this->data[$this->alias]['date_modified'] = time();
        if (isset($this->data[$this->alias]['password'])) {
-            $passwordHasher = new BlowfishPasswordHasher();
+            $passwordHasher = new BlowfishConstantPasswordHasher();
            $this->data[$this->alias]['password'] = $passwordHasher->hash($this->data[$this->alias]['password']);
        }
        return true;
@ -1009,7 +1009,7 @@ class User extends AppModel
            App::uses('SimplePasswordHasher', 'Controller/Component/Auth');
            $passwordHasher = new SimplePasswordHasher();
        } else {
-            $passwordHasher = new BlowfishPasswordHasherConstant();
+            $passwordHasher = new BlowfishConstantPasswordHasher();
        }
        $hashed = $passwordHasher->check($password, $currentUser['User']['password']);
        return $hashed;