[5.7] Remove Hash::check() for password verification (#25677)

* [5.7] Remove depending on Hash::check() just for password verification. Signed-off-by: Mior Muhammad Zaki <[email protected]> * Fixes tests. Signed-off-by: Mior Muhammad Zaki <[email protected]> * Fixes styling. Signed-off-by: Mior Muhammad Zaki <[email protected]>
laravel · Sep 18, 2018 · 5a622cc · 5a622cc
1 parent 8cb226e
commit 5a622cc
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 9 deletions.
diff --git a/src/Illuminate/Auth/DatabaseUserProvider.php b/src/Illuminate/Auth/DatabaseUserProvider.php
@@ -152,8 +152,14 @@ protected function getGenericUser($user)
      */
     public function validateCredentials(UserContract $user, array $credentials)
     {
-        return $this->hasher->check(
-            $credentials['password'], $user->getAuthPassword()
+        $hashed = $user->getAuthPassword();
+
+        if (strlen($hashed) === 0) {
+            return false;
+        }
+
+        return password_verify(
+            $credentials['password'], $hashed
         );
     }
 }
diff --git a/src/Illuminate/Auth/EloquentUserProvider.php b/src/Illuminate/Auth/EloquentUserProvider.php
@@ -138,8 +138,13 @@ public function retrieveByCredentials(array $credentials)
     public function validateCredentials(UserContract $user, array $credentials)
     {
         $plain = $credentials['password'];
+        $hashed = $user->getAuthPassword();
 
-        return $this->hasher->check($plain, $user->getAuthPassword());
+        if (strlen($hashed) === 0) {
+            return false;
+        }
+
+        return password_verify($plain, $hashed);
     }
 
     /**

diff --git a/tests/Auth/AuthDatabaseUserProviderTest.php b/tests/Auth/AuthDatabaseUserProviderTest.php
@@ -115,11 +115,22 @@ public function testCredentialValidation()
     {
         $conn = m::mock('Illuminate\Database\Connection');
         $hasher = m::mock('Illuminate\Contracts\Hashing\Hasher');
-        $hasher->shouldReceive('check')->once()->with('plain', 'hash')->andReturn(true);
         $provider = new DatabaseUserProvider($conn, $hasher, 'foo');
         $user = m::mock('Illuminate\Contracts\Auth\Authenticatable');
-        $user->shouldReceive('getAuthPassword')->once()->andReturn('hash');
-        $result = $provider->validateCredentials($user, ['password' => 'plain']);
+        $user->shouldReceive('getAuthPassword')->once()->andReturn('$2y$10$TKh8H1.PfQx37YgCzwiKb.KjNyWgaHb9cbcoQgdIVFlYg7B77UdFm');
+        $result = $provider->validateCredentials($user, ['password' => 'secret']);
+
+        $this->assertTrue($result);
+    }
+
+    public function testCredentialValidationUsingUnknownAlgorithm()
+    {
+        $conn = m::mock('Illuminate\Database\Connection');
+        $hasher = m::mock('Illuminate\Contracts\Hashing\Hasher');
+        $provider = new DatabaseUserProvider($conn, $hasher, 'foo');
+        $user = m::mock('Illuminate\Contracts\Auth\Authenticatable');
+        $user->shouldReceive('getAuthPassword')->once()->andReturn('$1$0590adc6$WVAjBIam8sJCgDieJGLey0');
+        $result = $provider->validateCredentials($user, ['password' => 's3cr3t']);
 
         $this->assertTrue($result);
     }

diff --git a/tests/Auth/AuthEloquentUserProviderTest.php b/tests/Auth/AuthEloquentUserProviderTest.php
@@ -90,11 +90,22 @@ public function testCredentialValidation()
     {
         $conn = m::mock('Illuminate\Database\Connection');
         $hasher = m::mock('Illuminate\Contracts\Hashing\Hasher');
-        $hasher->shouldReceive('check')->once()->with('plain', 'hash')->andReturn(true);
         $provider = new EloquentUserProvider($hasher, 'foo');
         $user = m::mock('Illuminate\Contracts\Auth\Authenticatable');
-        $user->shouldReceive('getAuthPassword')->once()->andReturn('hash');
-        $result = $provider->validateCredentials($user, ['password' => 'plain']);
+        $user->shouldReceive('getAuthPassword')->once()->andReturn('$2y$10$TKh8H1.PfQx37YgCzwiKb.KjNyWgaHb9cbcoQgdIVFlYg7B77UdFm');
+        $result = $provider->validateCredentials($user, ['password' => 'secret']);
+
+        $this->assertTrue($result);
+    }
+
+    public function testCredentialValidationUsingUnknownAlgorithm()
+    {
+        $conn = m::mock('Illuminate\Database\Connection');
+        $hasher = m::mock('Illuminate\Contracts\Hashing\Hasher');
+        $provider = new EloquentUserProvider($hasher, 'foo');
+        $user = m::mock('Illuminate\Contracts\Auth\Authenticatable');
+        $user->shouldReceive('getAuthPassword')->once()->andReturn('$1$0590adc6$WVAjBIam8sJCgDieJGLey0');
+        $result = $provider->validateCredentials($user, ['password' => 's3cr3t']);
 
         $this->assertTrue($result);
     }