1
0
Fork 0
mirror of https://github.com/sbrl/Pepperminty-Wiki.git synced 2024-11-22 04:23:01 +00:00

Bugfix sessionprefix and password hashing, but it's still not working right.

This commit is contained in:
Starbeamrainbowlabs 2018-05-11 00:18:21 +01:00
parent ae8412ddaf
commit d5b37e3ec0
Signed by: sbrl
GPG key ID: 1BE5172E637709C2
4 changed files with 22 additions and 3 deletions

View file

@ -381,6 +381,13 @@ footer { padding: 2rem; }
/* #ffdb6d #36962c hsl(36, 78%, 80%) hsl(262, 92%, 68%, 0.42) */
THEMECSS;
// This will automatically save to peppermint.json if an automatic takes place
// for another reason (such as password rehashing or user data updates), but it
// doesn't really matter because the site name isn't going to change all that
// often, and even if it does it shouldn't matter :P
if($settings->sessionprefix == "auto")
$settings->sessionprefix = "pepperminty-wiki-" . preg_replace('/[^a-z0-9\-_]/', "-", strtolower($settings->sitename));
/////////////////////////////////////////////////////////////////////////////
@ -388,7 +395,7 @@ THEMECSS;
/////////////////////////////////////////////////////////////////////////////
/** The version of Pepperminty Wiki currently running. */
$version = "v0.17-dev";
$commit = "98c02f0226e78d648388b96e9138e269215ad1be";
$commit = "ae8412ddaf957cdfa6b55b0385093a925ff6a799";
/// Environment ///
/** Holds information about the current request environment. */
$env = new stdClass();
@ -464,7 +471,6 @@ if(isset($_SESSION[$settings->sessionprefix . "-user"]) and
// by the login action
$env->user = $_SESSION[$settings->sessionprefix . "-user"];
$env->pass = $_SESSION[$settings->sessionprefix . "-pass"];
error_log($settings->users->{$env->user}->password . " / $env->pass");
if($settings->users->{$env->user}->password == $env->pass)
{
// The user is logged in
@ -7376,6 +7382,7 @@ register_module([
$env->user_data = $settings->users->{$env->user};
$new_password_hash = hash_password_update($pass, $settings->users->$user->password);
error_log("$pass / $new_password_hash");
// Update the password hash
if($new_password_hash !== null) {
$env->user_data->password = $new_password_hash;
@ -7484,6 +7491,7 @@ function hash_password_properties() {
*/
function hash_password($pass)
{
error_log("hashing '$pass'");
$props = hash_password_properties();
return password_hash(
base64_encode(hash("sha384", $pass)),

View file

@ -203,7 +203,7 @@
"author": "Starbeamrainbowlabs",
"description": "Adds a pair of actions (login and checklogin) that allow users to login. You need this one if you want your users to be able to login.",
"id": "page-login",
"lastupdate": 1525993049,
"lastupdate": 1525993883,
"optional": false
},
{

View file

@ -102,6 +102,10 @@ register_module([
$env->user_data = $settings->users->{$env->user};
$new_password_hash = hash_password_update($pass, $settings->users->$user->password);
error_log("$pass / $new_password_hash");
// TODO: When rehashing a password automatically, it no longer checks out against password_verify during login
// Looks like a bug in hash_password, as it's not letting us in if we calculate it via the has action either
// Update the password hash
if($new_password_hash !== null) {
$env->user_data->password = $new_password_hash;

View file

@ -64,4 +64,11 @@ if($settingsUpgraded)
$defaultCSS = <<<THEMECSS
{default-css}
THEMECSS;
// This will automatically save to peppermint.json if an automatic takes place
// for another reason (such as password rehashing or user data updates), but it
// doesn't really matter because the site name isn't going to change all that
// often, and even if it does it shouldn't matter :P
if($settings->sessionprefix == "auto")
$settings->sessionprefix = "pepperminty-wiki-" . preg_replace('/[^a-z0-9\-_]/', "-", strtolower($settings->sitename));
?>