Improve password hashing security using password_hash and password_ve…

…rify.
maurobonfietti · Jul 11, 2022 · 6e92d77 · 6e92d77
1 parent 10daf56
commit 6e92d77
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 6 deletions.
diff --git a/database/database.sql b/database/database.sql
@@ -47,7 +47,7 @@ INSERT INTO `users` (`name`, `email`, `password`) VALUES ('Carlos', 'bianchini@h
 INSERT INTO `users` (`name`, `email`, `password`) VALUES ('Diego', '[email protected]', 'd5f4da62059760b35de35f8fbd8efb43eee26ac741ef8c6e51782a13ac7d50e927b653160c591616a9dc8a452c877a6b80c00aecba14504756a65f88439fcd1e');
 INSERT INTO `users` (`name`, `email`, `password`) VALUES ('One User', '[email protected]', 'd5f4da62059760b35de35f8fbd8efb43eee26ac741ef8c6e51782a13ac7d50e927b653160c591616a9dc8a452c877a6b80c00aecba14504756a65f88439fcd1e');
 INSERT INTO `users` (`name`, `email`, `password`) VALUES ('Diegol', '[email protected]', 'd5f4da62059760b35de35f8fbd8efb43eee26ac741ef8c6e51782a13ac7d50e927b653160c591616a9dc8a452c877a6b80c00aecba14504756a65f88439fcd1e');
-INSERT INTO `users` (`name`, `email`, `password`) VALUES ('Test User', '[email protected]', 'd5f4da62059760b35de35f8fbd8efb43eee26ac741ef8c6e51782a13ac7d50e927b653160c591616a9dc8a452c877a6b80c00aecba14504756a65f88439fcd1e');
+INSERT INTO `users` (`name`, `email`, `password`) VALUES ('Test User', '[email protected]', '$2y$10$S9.JvxDbDhESUZvZWmpyleWB4YTHEaCJ5nevlXMHNso8J4X4/Sgeq');
 
 -- ----------------------------
 -- Table structure for notes

diff --git a/src/Repository/UserRepository.php b/src/Repository/UserRepository.php
@@ -91,17 +91,19 @@ public function loginUser(string $email, string $password): User
         $query = '
             SELECT *
             FROM `users`
-            WHERE `email` = :email AND `password` = :password
+            WHERE `email` = :email
             ORDER BY `id`
         ';
         $statement = $this->database->prepare($query);
         $statement->bindParam('email', $email);
-        $statement->bindParam('password', $password);
         $statement->execute();
         $user = $statement->fetchObject(User::class);
         if (! $user) {
             throw new \App\Exception\User('Login failed: Email or password incorrect.', 400);
         }
+        if (! password_verify($password, $user->getPassword())) {
+            throw new \App\Exception\User('Login failed: Email or password incorrect.', 400);
+        }
 
         return $user;
     }

diff --git a/src/Service/User/Create.php b/src/Service/User/Create.php
@@ -41,7 +41,8 @@ private function validateUserData(array $input): User
         $myuser = new User();
         $myuser->updateName(self::validateUserName($user->name));
         $myuser->updateEmail(self::validateEmail($user->email));
-        $myuser->updatePassword(hash('sha512', $user->password));
+        $hash = password_hash($user->password, PASSWORD_BCRYPT);
+        $myuser->updatePassword($hash);
         $this->userRepository->checkUserByEmail($user->email);
 
         return $myuser;

diff --git a/src/Service/User/Login.php b/src/Service/User/Login.php
@@ -21,8 +21,7 @@ public function login(array $input): string
         if (! isset($data->password)) {
             throw new User('The field "password" is required.', 400);
         }
-        $password = hash('sha512', $data->password);
-        $user = $this->userRepository->loginUser($data->email, $password);
+        $user = $this->userRepository->loginUser($data->email, $data->password);
         $token = [
             'sub' => $user->getId(),
             'email' => $user->getEmail(),