Remove legacy password algoritms and move to Laravel standard. (#12252)

2024-10-07 16:52:45 +00:00 · 2020-10-23 16:56:17 +02:00
parent 774d95c118
commit 780e74b0e1
4 changed files with 8 additions and 75 deletions
--- a/LibreNMS/Authentication/MysqlAuthorizer.php
+++ b/LibreNMS/Authentication/MysqlAuthorizer.php
@@ -3,10 +3,9 @@
 namespace LibreNMS\Authentication;

 use App\Models\User;
-use Illuminate\Support\Str;
+use Illuminate\Support\Facades\Hash;
 use LibreNMS\DB\Eloquent;
 use LibreNMS\Exceptions\AuthenticationException;
-use Phpass\PasswordHash;

 class MysqlAuthorizer extends AuthorizerBase
 {
@@ -27,32 +26,11 @@ class MysqlAuthorizer extends AuthorizerBase
            throw new AuthenticationException($message = 'login denied');
        }

-        // check for old passwords
-        if (strlen($hash) == 32) {
-            // md5
-            if (md5($password) === $hash) {
+        if (Hash::check($password, $hash)) {
+            if (Hash::needsRehash($hash)) {
                $this->changePassword($username, $password);
-
-                return true;
            }
-        } elseif (Str::startsWith($hash, '$1$')) {
-            // old md5 crypt
-            if (crypt($password, $hash) == $hash) {
-                $this->changePassword($username, $password);

-                return true;
-            }
-        } elseif (Str::startsWith($hash, '$P$')) {
-            // Phpass
-            $hasher = new PasswordHash();
-            if ($hasher->CheckPassword($password, $hash)) {
-                $this->changePassword($username, $password);
-
-                return true;
-            }
-        }
-
-        if (password_verify($password, $hash)) {
            return true;
        }

--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -6,6 +6,7 @@ use App\Events\UserCreated;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Foundation\Auth\User as Authenticatable;
 use Illuminate\Notifications\Notifiable;
+use Illuminate\Support\Facades\Hash;
 use LibreNMS\Authentication\LegacyAuth;
 use Permissions;

@@ -94,7 +95,7 @@ class User extends Authenticatable
     */
    public function setPassword($password)
    {
-        $this->attributes['password'] = $password ? password_hash($password, PASSWORD_DEFAULT) : null;
+        $this->attributes['password'] = $password ? Hash::make($password) : null;
    }

    /**
--- a/composer.json
+++ b/composer.json
@@ -62,8 +62,7 @@
        "symfony/yaml": "^4.0",
        "tecnickcom/tcpdf": "~6.2.0",
        "tightenco/ziggy": "^0.8.0",
-        "wpb/string-blade-compiler": "dev-laravel-7-and-autoload-blade-custom-directives",
-        "xjtuwangke/passwordhash": "dev-master"
+        "wpb/string-blade-compiler": "dev-laravel-7-and-autoload-blade-custom-directives"
    },
    "require-dev": {
        "barryvdh/laravel-debugbar": "^3.2",
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
        "This file is @generated automatically"
    ],
-    "content-hash": "4389f49396c63fa97f39a7fb849f9312",
+    "content-hash": "da041241928d2324788ffb2accf1a739",
    "packages": [
        {
            "name": "amenadiel/jpgraph",
@@ -6114,50 +6114,6 @@
                "source": "https://github.com/librenms/StringBladeCompiler/tree/laravel-7-and-autoload-blade-custom-directives"
            },
            "time": "2020-07-10T19:15:25+00:00"
-        },
-        {
-            "name": "xjtuwangke/passwordhash",
-            "version": "dev-master",
-            "source": {
-                "type": "git",
-                "url": "git@github.com:xjtuwangke/passwordhash.git",
-                "reference": "a7bcd9705add858cd496bdd8cdc9bbed231e8bb3"
-            },
-            "dist": {
-                "type": "zip",
-                "url": "https://api.github.com/repos/xjtuwangke/passwordhash/zipball/a7bcd9705add858cd496bdd8cdc9bbed231e8bb3",
-                "reference": "a7bcd9705add858cd496bdd8cdc9bbed231e8bb3",
-                "shasum": ""
-            },
-            "require": {
-                "php": ">=5.3.3"
-            },
-            "type": "library",
-            "autoload": {
-                "psr-0": {
-                    "Phpass": "src/"
-                }
-            },
-            "notification-url": "https://packagist.org/downloads/",
-            "license": [
-                "Public Domain"
-            ],
-            "authors": [
-                {
-                    "name": "Solar Designer",
-                    "email": "solar@openwall.com",
-                    "homepage": "http://openwall.com/phpass/"
-                }
-            ],
-            "description": "Portable PHP password hashing framework",
-            "homepage": "http://github.com/xjtuwangke/passwordhash/",
-            "keywords": [
-                "blowfish",
-                "crypt",
-                "password",
-                "security"
-            ],
-            "time": "2012-08-31T00:00:00+00:00"
        }
    ],
    "packages-dev": [
@@ -9748,8 +9704,7 @@
    "minimum-stability": "stable",
    "stability-flags": {
        "oriceon/toastr-5-laravel": 20,
-        "wpb/string-blade-compiler": 20,
-        "xjtuwangke/passwordhash": 20
+        "wpb/string-blade-compiler": 20
    },
    "prefer-stable": false,
    "prefer-lowest": false,