From b057426b9f1b6261f52316c46f57bcf2fbc47d9b Mon Sep 17 00:00:00 2001
From: Jakub Onderka <jakub.onderka@gmail.com>
Date: Sat, 14 Nov 2020 22:33:05 +0100
Subject: [PATCH] fix: [security] Properly validate new auth key

---
 app/Model/AuthKey.php | 36 +++++++++++++++++++++---------------
 1 file changed, 21 insertions(+), 15 deletions(-)

diff --git a/app/Model/AuthKey.php b/app/Model/AuthKey.php
index 20cad49fe..333ec5d1f 100644
--- a/app/Model/AuthKey.php
+++ b/app/Model/AuthKey.php
@@ -1,24 +1,20 @@
 <?php
 App::uses('AppModel', 'Model');
 App::uses('RandomTool', 'Tools');
+
+/**
+ * @property User $User
+ */
 class AuthKey extends AppModel
 {
     public $recursive = -1;
 
     public $actsAs = array(
-            'SysLogLogable.SysLogLogable' => array(
-                    'userModel' => 'User',
-                    'userKey' => 'user_id',
-                    'change' => 'full'),
-            'Containable',
-    );
-
-    public $validate = array(
-        'json' => array(
-            'isValidJson' => array(
-                'rule' => array('isValidJson'),
-            )
-        )
+        'SysLogLogable.SysLogLogable' => array(
+                'userModel' => 'User',
+                'userKey' => 'user_id',
+                'change' => 'full'),
+        'Containable',
     );
 
     public $belongsTo = array(
@@ -44,7 +40,7 @@ class AuthKey extends AppModel
             } else {
                 $authkey = $this->data['AuthKey']['authkey'];
             }
-            $passwordHasher = new BlowfishPasswordHasher();
+            $passwordHasher = $this->getHasher();
             $this->data['AuthKey']['authkey'] = $passwordHasher->hash($authkey);
             $this->data['AuthKey']['authkey_start'] = substr($authkey, 0, 4);
             $this->data['AuthKey']['authkey_end'] = substr($authkey, -4);
@@ -65,6 +61,7 @@ class AuthKey extends AppModel
         $end = substr($authkey, -4);
         $existing_authkeys = $this->find('all', [
             'recursive' => -1,
+            'fields' => ['authkey', 'user_id'],
             'conditions' => [
                 'OR' => [
                     'expiration >' => time(),
@@ -74,8 +71,9 @@ class AuthKey extends AppModel
                 'authkey_end' => $end,
             ]
         ]);
+        $passwordHasher = $this->getHasher();
         foreach ($existing_authkeys as $existing_authkey) {
-            if (Security::hash($authkey, 'blowfish', $existing_authkey['AuthKey']['authkey'])) {
+            if ($passwordHasher->check($authkey, $existing_authkey['AuthKey']['authkey'])) {
                 return $this->User->getAuthUser($existing_authkey['AuthKey']['user_id']);
             }
         }
@@ -110,4 +108,12 @@ class AuthKey extends AppModel
             return false;
         }
     }
+
+    /**
+     * @return AbstractPasswordHasher
+     */
+    private function getHasher()
+    {
+        return new BlowfishPasswordHasher();
+    }
 }