add PasswordApi #3289
add PasswordApi #3289
Conversation
There was a problem hiding this comment.
Looks good so far. One aspect which came to my mind: maybe it would be advantageous to add some information to the hash methods about whether they are considered secure or not? This way we could query that information (like if (isMethodConsideredSecure($hashMethod)) and take further actions, like re-persisting the password using another method after a login happened.
|
none of the available methods are considered secure any longer. This is one reason to completely get out of the authentication business entirely (use OAuth instead). We need to upgrade all passwords to php 5.5+ methods which use |
|
refs #2842 |
is this possible when using the internal user/password login only? |
no |
… in ZAuth to separate files for easier location
| @@ -373,7 +375,7 @@ public function changePasswordAction(Request $request) | |||
| $form->handleRequest($request); | |||
| if ($form->isSubmitted() && $form->isValid()) { | |||
| $data = $form->getData(); | |||
| $mapping->setPass(\UserUtil::getHashedPassword($data['pass'])); | |||
| $mapping->setPass($this->container->get('zikula_zauth_module.api.password')->getHashedPassword($data['pass'])); | |||
There was a problem hiding this comment.
Sometimes you use $this->get, sometimes $this->container->get. Please use $this->get only in controllers for consistency.
| @@ -84,7 +84,7 @@ public function verifyAction(Request $request, $uname = null, $verifycode = null | |||
| $userEntity = $this->get('zikula_users_module.user_repository')->findOneBy(['uname' => $data['uname']]); | |||
| $mapping = $this->get('zikula_zauth_module.authentication_mapping_repository')->getByZikulaId($userEntity->getUid()); | |||
| if (isset($data['pass'])) { | |||
| $mapping->setPass(\UserUtil::getHashedPassword($data['pass'])); | |||
| $mapping->setPass($this->container->get('zikula_zauth_module.api.password')->getHashedPassword($data['pass'])); | |||
| @@ -230,7 +230,7 @@ public function modifyAction(Request $request, AuthenticationMappingEntity $mapp | |||
| /** @var AuthenticationMappingEntity $mapping */ | |||
| $mapping = $form->getData(); | |||
| if ($form->get('setpass')->getData()) { | |||
| $mapping->setPass(\UserUtil::getHashedPassword($mapping->getPass())); | |||
| $mapping->setPass($this->container->get('zikula_zauth_module.api.password')->getHashedPassword($mapping->getPass())); | |||
|
|
||
| $hashedPass = $this->api->getHashedPassword('mybirthdayplusabunchofchanracters%&*&^53', 5); // 5 = sha1 | ||
| $this->assertEquals(48, strlen($hashedPass)); | ||
| $this->assertRegExp(';[0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ~@#$%^*()_+-={}|\][];', $hashedPass); |
There was a problem hiding this comment.
maybe put ;[0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ~@#$%^*()_+-={}|\][]; into a variable for easier reuse (avoiding duplicate strings).
There was a problem hiding this comment.
This string is used in lines 38, 43 and 48.
Description
add PasswordApi. fixes #3175
Todos