Merge branch '53-password-hotfix'

application/config/migration.php

@@ -21,7 +21,7 @@
 | be upgraded / downgraded to.
 |
 */
-$config['migration_version'] = 3;
+$config['migration_version'] = 4;
 
 
 /*

application/helpers/hash_helper.php

@@ -5,35 +5,35 @@ function generateCSRF()
     return generateToken(50);
 }
 
-function generateHash($str)
+function generateHash($str, $salt=null)
 {
-    $token  = generateToken(50);
+    $salt = (empty($salt)) ? generateToken(50) : $salt;
 
     if (CRYPT_SHA512 == 1) {
-        return crypt($str, '$6$rounds=5000$' . $token . '$');
+        $crypt = crypt($str, '$6$rounds=5000$' . $salt . '$');
     }
-
-    if (CRYPT_SHA256 == 1) {
-        return crypt($str, '$5$rounds=5000$' . $token . '$');
+    elseif (CRYPT_SHA256 == 1) {
+        $crypt = crypt($str, '$5$rounds=5000$' . $salt . '$');
     }
-
-    if (CRYPT_BLOWFISH == 1) {
-        return crypt($str, '$2a$07$' . $token . '$');
+    elseif (CRYPT_BLOWFISH == 1) {
+        $crypt = crypt($str, '$2a$07$' . $salt . '$');
     }
-
-    if (CRYPT_MD5 == 1) {
-        return crypt($str, '$1$' . $token . '$');
+    elseif(CRYPT_MD5 == 1) {
+        $crypt = crypt($str, '$1$' . $salt . '$');
     }
-
-    if (CRYPT_EXT_DES == 1) {
-        return crypt($str, '_J9' . $token);
+    elseif(CRYPT_EXT_DES == 1) {
+        $crypt = crypt($str, '_J9' . $salt);
+    }
+    elseif(CRYPT_STD_DES == 1) {
+        $crypt = crypt($str, $salt);
     }
 
-    if (CRYPT_STD_DES == 1) {
-        return crypt($str, $token);
+    if (! isset($crypt)) {
+        return false;
+        // Throw exception once everything is hooked up
     }
 
-    throw new Exception('No hashing mechanisms supported.');
+    return array('salt' => $salt, 'encrypted' => $crypt);
 }
 
 function generatePassword($len=12)

application/migrations/004_password_update.php

@@ -0,0 +1,15 @@
+<?php defined('BASEPATH') OR exit('No direct script access allowed');
+
+class Migration_Password_update extends CI_Migration {
+
+    public function up()
+    {
+      $this->db->query("ALTER TABLE `users` ADD COLUMN `salt` varchar(50) DEFAULT NULL COMMENT 'The salt used to generate password.' AFTER `password`");
+    }
+
+    public function down()
+    {
+      $this->db->query("ALTER TABLE `users` DROP COLUMN `salt`");
+    }
+
+}

application/models/users_model.php

@@ -25,15 +25,16 @@ function create_user()
 
 		// Add user to users table
         $this->load->helper('hash_helper');
-        $password = generateHash($password);
+        $hash = generateHash($password);
 
-        if ($password === false) {
+        if ($hash === false) {
             return false;
         }
 
 		$this->db->insert('users', array(
             'email'    => $email,
-            'password' => $password,
+            'password' => $hash['encrypted'],
+            'salt'     => $hash['salt'],
             'status'   => 'active'
         ));
 
@@ -48,16 +49,17 @@ function update_user()
         // Form input data
         $user_id   = $this->input->post('userid');
         $email     = $this->input->post('emailaddress');
-        $password  = generateHash($this->input->post('password'));
+        $hash      = generateHash($this->input->post('password'));
         $status    = $this->input->post('status');
 
-        if ($password !== false) {
+        if ($hash !== false) {
 
             // Add user to users table
             $this->db->update('users',
                 array(
                     'email'    => $emailaddress,
-                    'password' => $password,
+                    'password' => $hash['encrypted'],
+                    'salt'     => $hash['salt'],
                     'status'   => $status
                 ),
                 array(
@@ -108,22 +110,33 @@ function check_user_credentials()
         $this->load->helper('hash_helper');
 		$email     = $this->input->post('emailaddress', true);
 		$password  = $this->input->post('password', true);
-        $hash      = generateHash($password);
 
-        if ($hash === false) {
+
+        // Get user by email address
+        $user = $this->db->query("SELECT * FROM `users` WHERE email = '" . $email . "' LIMIT 1");
+
+        if ($user->num_rows() < 1) {
             return false;
         }
 
-    	// Select user from database
-        // Have to look for both hash types
-        // so we can be backwards compatible with older versions
-        $user = $this->db->query("
-            SELECT * FROM `users`
-            WHERE email = '" . $email . "' AND
-            (password = '" . md5($password) . "' OR password = '" . $hash . "')
-        ");
+        // Check passwords
+        $row                = $user->row();
+        $encrypted_password = $row->password;
+        $salt               = $row->salt;
+
+        // If salt exists, check it
+        // Else check old MD5 checksum
+        if (! empty($salt)) {
+            $hash  = generateHash($password, $salt);
+            $match = (isset($hash['encrypted']) && $encrypted_password == $hash['encrypted']) ? true : false;
+        }
+        else {
+            $match = (md5($password) == $encrypted_password) ? true : false;
+        }
+
+        // If a match, return array, else false
+        return ($match === true) ? $user->row_array() : false;
 
-        return ($user->num_rows() > 0) ? $user->row_array() : false;
     }
 
 

application/views/changelog.php

@@ -5,6 +5,11 @@
     <h2>Changelog</h2>
 		<p>A quick list of what's new. Posted immediately upon update.</p>
 
+        <h4 id="039"><a href="#039">0.3.8 - 15 January 2014</a></h4>
+          <ul>
+            <li>Bug: Fixing password issue. Forgot to store salt, DERP!</li>
+          </ul>
+
 		<h4 id="038"><a href="#038">0.3.8 - 14 January 2014</a></h4>
           <ul>
             <li>Update: Added new migation file for `users` table updates</li>