I'm trying to log in a user as part of a form submit, but why is the following not working:
$user = db_fetch_object(db_query("SELECT * FROM users WHERE mail = '%s' AND pass = '%s'", $mail, md5($pass)));
if ($user) {
// Authenticate user and log in
$params = array(
'name' => $user->name,
'pass' => trim($user->pass)
);
// Authenticate user
$account = user_authenticate($params);
}
if I dump $user I can see the correct values, but if I dump the account it's empty.
You are passing the hashed password to ´user_authenticate()´, while the function expects the clear password (it will hash it itself indirectly when loading the account via ´user_load()´).
So changing your $params array declaration to
$params = array(
'name' => $user->name,
'pass' => $pass
);
should make your example work.
BTW, you could use user_load() yourself to avoid querying the database directly:
$user = user_load(array('mail' => $mail, 'pass' => trim($pass), 'status' => 1));
(The 'status' => 1 will restrict results to active users - you can leave that out, of course, if you really want to allow log ins to disabled accounts ;)
Related
Creation of database record
$encrypter = \Config\Services::encrypter();
$password = base64_encode($encrypter->encrypt("12345aA!"));
$data = [
"email_address" => "email#gmail.com",
"password" => $password,
"user_id" => 1
];
$query = "insert into tblusers(user_id, email_address, password)";
$query = $query . "Values(:user_id,, :email_address, :password)";
$this->db->query($query, $data);
$this->db->table("tblusers")->insert($data);
Validation of Password with database saved record
$encrypter = \Config\Services::encrypter();
$model = new UserModel();
$user = $model->where("email_address", "email#gmail.com")->first();
echo $encrypter->decrypt($user["password"]);
Approach 2 used but same error message comes
$encrypted_password = "Py02s1SOIlI/p6sSzqDCqgR81wXuXSSdrA5R8wnLs/SQDig0A2hXjvcn4TfYYaa+Xoq4sMt4gJF5Krec8U8G8fKcrrXsSxbSG3BS";
echo $encrypter->decrypt($encrypted_password);
Error Message
Decrypting: authentication failed.
It is because you're applying base64_encode(...) after encrypting your 'raw password'.
// ...
$password = base64_encode($encrypter->encrypt("12345aA!"));
// ...
But then, you forget to apply base64_decode(...) before decrypting the stored 'password hash'.
// ...
echo $encrypter->decrypt($user["password"]);
// ...
Solution:
Validation of Password with database saved record
$model = new UserModel();
$user = $model->where("email_address", "email#gmail.com")->first();
try {
$decryptedPassword = \Config\Services::encrypter()
->decrypt(base64_decode($user["password"]));
echo $decryptedPassword;
} catch (\CodeIgniter\Encryption\Exceptions\EncryptionException $encryptionException) {
log_message("error", $encryptionException->getMessage());
}
Extra Note(s):
I would recommend you use PHP's built-in secure hashing algorithms instead for this scenario.
password_hash(...)
password_verify(...)
Currently I have a login feature and I have only set user can login using username. How do I make it for user to login either using username or email and check with my database if username exist when users login with their username and if email exist when users login with their email? Below is my current code:
Controller
public function login()
{
$data = [];
helper(['form']);
$validation = \Config\Services::validation();
if($this->request->getMethod() == 'post'){
//validations
$rules = [
'username' => 'required',
'password' => 'required|validateUser[username, password]'
];
$errors = [
'password' => [
'validateUser' => 'Username or Password don\'t match'
]
];
if(!$this->validate($rules, $errors)){
$data['validation'] = $this->validator;
}else{
$model = new AccountModel();
$user = $model->where('username', $this->request->getVar('username'))
->first();
$this->setUserSession($user);
return redirect()->to('/account/profile');
}
}
echo view('templates/header', $data);
echo view('account/login');
echo view('templates/footer');
}
My validation rules
<?php
namespace App\Validation;
use App\Models\AccountModel;
class UserRules
{
public function validateUser(string $str, string $fields, array $data)
{
$model = new AccountModel();
$user = $model->where('username', $data['username'])
->first();
if(!$user)
return false;
return password_verify($data['password'], $user['password']);
}
}
?>
Thanks in advance guys!
First, the username and the email must be unique.
So, when the user enters an input either email or username
you can check if the user enters email using the following code
$email = $this->request->getPost('email');
if(substr_count($email , '#') > 0) // this is an email
check for the email if its exists in the database
else // not an email which means it is username
check for the username if its exists in the database
You can find this function substr_count()
Edit: You can use orWhere function so for example
$model->where('username' , $username)->orWhere('email',$email)->find()
so this will produce this statement
select * from tablename where username='' or email =''
In Codeigniter 4, there's a built in checker for email format validity and if email exists already in database without creating a database query. You just setup a Model and use the validations like
protected $validationRules = [
'username' => 'required|alpha_numeric_space|min_length[3]',
'email' => 'required|valid_email|is_unique[users.email]',
'password' => 'required|min_length[8]',
'pass_confirm' => 'required_with[password]|matches[password]'
];
more samples here, https://codeigniter.com/user_guide/models/model.html?highlight=valid_email
I'm moving an app from CakePHP 2 to CakePHP 3. There is a new hashing algorithm for Cake3. I'd like the existing users to be able to login to the app using their old passwords and for those passwords to then be updated to the new algorithm.
Unfortunatly, I can't get the correct hash to match up to what is in the database.
$person = $this->Auth->identify();
if(!$person){ # maybe they have old sha1 password?
$oldhash = Security::hash($this->request->data['password'],
'sha1', "oldsalt");
$person = $this->People->find()->where(['password' => $oldhash])->where(['email' =>$this->request->data['email'] ])->first();
if($person){
$person->password = Security::hash($this->request->data['password']);
$this->People->save($person);
}
}
The user is not found and if i debug the $oldhash out I get a different string than what is stored in the password field for that user.
What am I doing wrong?
Fallback classes
According to the documentation:
CakePHP provides a clean way to migrate your users’ passwords from one algorithm to another, this is achieved through the FallbackPasswordHasher class. Assuming you are migrating your app from CakePHP 2.x which uses sha1 password hashes, you can configure the AuthComponent as follows:
You will have to create an Custom Password Hasher class src/Auth/. A Custom Password hasher wil look something like this:
namespace App\Auth;
use Cake\Auth\AbstractPasswordHasher;
class LegacyPasswordHasher extends AbstractPasswordHasher {
public function hash($password)
{
return sha1($password);
}
public function check($password, $hashedPassword)
{
return sha1($password) === $hashedPassword;
} }
and then add it to passwordhasher in authenticate as fallback like this:
'authenticate' => [
'Form' => [
'passwordHasher' => [
'className' => 'Fallback',
'hashers' => [
'Default',
'Legacy'
]
]
]
]
The first name appearing in the hashers key indicates which of the classes is the preferred one, but it will fallback to the others in the list if the check was unsuccessful.
legacy is the Custom Password Hasher.
Updating the password
To update the users' password to the new hash you only have to add this code to your login procedure:
if ($this->Auth->authenticationProvider()->needsPasswordRehash()) {
$user = $this->Users->get($this->Auth->user('id'));
$user->password = $this->request->data('password');
$this->Users->save($user);
}
Documentation
More information about Changing hashing Algorithms
More information about the Custom Password Hasher
I had a CakePHP 2 app using Blowfish. Here's how I made it work with CakePHP 3:
$this->loadComponent('Auth', [
'authenticate' => [
'Form' => [
// ...
'fields' => [
'username' => 'email',
'password' => 'pass', // make sure you match this with your corresponding login.ctp input name
],
// ...
'passwordHasher' => [
'className' => 'Fallback',
'hashers' => [
'Default' => ['hashType' => PASSWORD_BCRYPT],
]
],
// ...
]
],
Hope it helps someone googling this issue
I am working in facebook login, after successful facebook authentication i want to login user using modx api, i am able to login him using below code. But i am not getting how to login to multiple contexts, i tried to pass "login_context" parameter but still it only login him in "web" context and not other contexts.
$c = array(
'login_context' => 'tech,data,finance',
'username' => $username,
'password' => $password,
'returnUrl' => 'http://www.mydomain.com',
);
$response = $modx->runProcessor('security/login', $c);
loginContext its for only one context, if you need to login to multiple contexts - use add_contexts option.
This is just basic code to give you simple idea how it can be done.
if(isset($_POST) && count($_POST)){
$username = $_POST['uname'];
$password = $_POST['upass'];
$c = array(
'login_context' => 'web', // main context
'add_contexts' => 'profile,gallery,videos', // other contexts
'username' => $username,
'password' => $password
);
$response = $modx->runProcessor('security/login',$c);
if($response){
if (!$response->isError()) {
if($response->response['success'] == 1){
echo json_encode(array("success"=>1));
}else{
echo json_encode($response->response);
}
}else{
echo json_encode($response->response);
}
}
}
I have FOSUserBundle to manage my users, and SonataAdminBundle to manage my website... I have a problem, whenever I try to change/add a password to any user, the password isn't encoded into sha512, but it does when the user register itself inside fosuserbundle registration page...
So there isn't any problem with Symfony2 configuration neither fosuserbundle config, it may be inside SonataAdminBundle somewhere, or maybe into my admin class...
<?php
// src/Acme/DemoBundle/Admin/PostAdmin.php
namespace Web\DificilBundle\Admin;
use Sonata\AdminBundle\Admin\Admin;
use Sonata\AdminBundle\Datagrid\ListMapper;
use Sonata\AdminBundle\Datagrid\DatagridMapper;
use Sonata\AdminBundle\Form\FormMapper;
use Web;
class UserAdmin extends Admin
{
// Fields to be shown on create/edit forms
protected function configureFormFields(FormMapper $formMapper)
{
$formMapper
->add('firstname')
->add('lastname')
->add('username')
->add('email')
->add('password', 'password') // -> I WANT THIS TO BE ENCODED INTO SHA512!
->add('roles','choice',array('choices'=>$this->getConfigurationPool()->getContainer()->getParameter('security.role_hierarchy.roles'),'multiple'=>true ));
//->add('body')
;
}
// Fields to be shown on filter forms
protected function configureDatagridFilters(DatagridMapper $datagridMapper)
{
$datagridMapper
->add('firstname')
->add('lastname')
->add('username')
->add('email')
->add('password')
;
}
// Fields to be shown on lists
protected function configureListFields(ListMapper $listMapper)
{
$listMapper
->add('firstname')
->add('lastname')
->add('username')
->add('password')
->add('email')
->add('facebookid')
->add('roles');
//->add('password', 'password')
;
}
}
Found a solution for everyone who has the same problem as me, just on your admin class, where you define your Create/Update form, use this and your password will be perfectly encrypted and ready to log into your new user ;)
protected function configureFormFields(FormMapper $formMapper)
{
$formMapper
->add('email', 'email', array('label' => 'form.email', 'translation_domain' => 'FOSUserBundle'))
->add('username', null, array('label' => 'form.username', 'translation_domain' => 'FOSUserBundle'))
->add('plainPassword', 'repeated', array(
'type' => 'password',
'options' => array('translation_domain' => 'FOSUserBundle'),
'first_options' => array('label' => 'form.password'),
'second_options' => array('label' => 'form.password_confirmation'),
'invalid_message' => 'fos_user.password.mismatch',
))
;
}