fix: [security] Use random salt for password and authkey hashes

2022-06-08 14:39:20 +02:00 · 2022-06-08 14:39:20 +02:00 · a92c63dc69
parent 8c97a92a17
commit a92c63dc69
1 changed files with 16 additions and 3 deletions
--- a/app/Controller/Component/Auth/BlowfishConstantPasswordHasher.php
+++ b/app/Controller/Component/Auth/BlowfishConstantPasswordHasher.php
@ -1,8 +1,21 @@
 <?php
-App::uses('BlowfishPasswordHasher', 'Controller/Component/Auth');
+App::uses('AbstractPasswordHasher', 'Controller/Component/Auth');

-class BlowfishConstantPasswordHasher extends BlowfishPasswordHasher
+class BlowfishConstantPasswordHasher extends AbstractPasswordHasher
 {
+    /**
+     * @param string $password
+     * @return string
+     */
+    public function hash($password)
+    {
+        $hash = password_hash($password, PASSWORD_BCRYPT);
+        if ($hash === false) {
+            throw new RuntimeException('Could not generate hashed password');
+        }
+        return $hash;
+    }
+
    /**
     * @param string $password
     * @param string $hashedPassword
@ -10,6 +23,6 @@ class BlowfishConstantPasswordHasher extends BlowfishPasswordHasher
     */
    public function check($password, $hashedPassword)
    {
-        return hash_equals($hashedPassword, Security::hash($password, 'blowfish', $hashedPassword));
+        return password_verify($password, $hashedPassword);
    }
 }