external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Use bcrypt to hash passwords

Browse source 
Replace the default hash function used for storing passwords by
password_hash() which internally uses bcrypt. Legacy MD5 hashes are
still supported and are immediately converted to the new format when a
user logs in.

Since big parts of the authentication system needed to be rewritten in
this context, this patch also includes some simplification and
refactoring of all code related to password checking and resetting.

Fixes FS#52297.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
This commit is contained in:
Lukas Fleischer 2017-02-24 19:52:28 +01:00
parent 31754909b1
commit 29a48708bb
5 changed files with 72 additions and 150 deletions
Download patch file Download diff file Expand all files Collapse all files

5
web/html/passreset.php
View file

@ -34,10 +34,7 @@ if (isset($_GET['resetkey'], $_POST['email'], $_POST['password'], $_POST['confir
}
if (empty($error)) {
$salt = generate_salt();
$hash = salted_hash($password, $salt);
$error = password_reset($hash, $salt, $resetkey, $email);
$error = password_reset($password, $resetkey, $email);
}
} elseif (isset($_POST['email'])) {
$email = $_POST['email'];