Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[5.7] Remove Hash::check() for password verification #25677

Merged

Conversation

crynobone
Copy link
Member

@crynobone crynobone commented Sep 18, 2018

As of 5.7.0, Laravel now verify the hash algorithm before using password_verify(), while this is more secure for hashing in general this cause a regression bugs for password verification on authentication flow:

Signed-off-by: Mior Muhammad Zaki <[email protected]>
Signed-off-by: Mior Muhammad Zaki <[email protected]>
@taylorotwell taylorotwell merged commit 5a622cc into laravel:5.7 Sep 18, 2018
@crynobone crynobone deleted the remove-hash-check-for-password-verification branch September 19, 2018 03:55
@gabrielpeixoto
Copy link

I believe the problem continues in the laravel passport. When requesting token using password grant

@mnabialek
Copy link
Contributor

@crynobone @taylorotwell This is breaking change. Today I've updated my app from 5.7.2 to 5.7.4 and suddenly my authentication stopped working. The thing is that someone might have custom hasher created (as I have, not using bcrypt) and this hasher should be used to verify if password is correct.

@taylorotwell
Copy link
Member

We need to revert this.

@crynobone
Copy link
Member Author

crynobone commented Sep 20, 2018

I don't agree with the framework checking on algo for password verification process, this PR was build to work around the BC made on 5.7.0.

Personally I would prefer the algo check verification be made as a new method if one where really wanting strict algo verification such as Hash::verify().

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants