diff --git a/application/config/migration.php b/application/config/migration.php index cd7045f3..2b890152 100644 --- a/application/config/migration.php +++ b/application/config/migration.php @@ -21,7 +21,7 @@ | be upgraded / downgraded to. | */ -$config['migration_version'] = 3; +$config['migration_version'] = 4; /* diff --git a/application/helpers/hash_helper.php b/application/helpers/hash_helper.php index cb348472..97310752 100644 --- a/application/helpers/hash_helper.php +++ b/application/helpers/hash_helper.php @@ -5,35 +5,35 @@ function generateCSRF() return generateToken(50); } -function generateHash($str) +function generateHash($str, $salt=null) { - $token = generateToken(50); + $salt = (empty($salt)) ? generateToken(50) : $salt; if (CRYPT_SHA512 == 1) { - return crypt($str, '$6$rounds=5000$' . $token . '$'); + $crypt = crypt($str, '$6$rounds=5000$' . $salt . '$'); } - - if (CRYPT_SHA256 == 1) { - return crypt($str, '$5$rounds=5000$' . $token . '$'); + elseif (CRYPT_SHA256 == 1) { + $crypt = crypt($str, '$5$rounds=5000$' . $salt . '$'); } - - if (CRYPT_BLOWFISH == 1) { - return crypt($str, '$2a$07$' . $token . '$'); + elseif (CRYPT_BLOWFISH == 1) { + $crypt = crypt($str, '$2a$07$' . $salt . '$'); } - - if (CRYPT_MD5 == 1) { - return crypt($str, '$1$' . $token . '$'); + elseif(CRYPT_MD5 == 1) { + $crypt = crypt($str, '$1$' . $salt . '$'); } - - if (CRYPT_EXT_DES == 1) { - return crypt($str, '_J9' . $token); + elseif(CRYPT_EXT_DES == 1) { + $crypt = crypt($str, '_J9' . $salt); + } + elseif(CRYPT_STD_DES == 1) { + $crypt = crypt($str, $salt); } - if (CRYPT_STD_DES == 1) { - return crypt($str, $token); + if (! isset($crypt)) { + return false; + // Throw exception once everything is hooked up } - throw new Exception('No hashing mechanisms supported.'); + return array('salt' => $salt, 'encrypted' => $crypt); } function generatePassword($len=12) diff --git a/application/migrations/004_password_update.php b/application/migrations/004_password_update.php new file mode 100644 index 00000000..6310c2c2 --- /dev/null +++ b/application/migrations/004_password_update.php @@ -0,0 +1,15 @@ +db->query("ALTER TABLE `users` ADD COLUMN `salt` varchar(50) DEFAULT NULL COMMENT 'The salt used to generate password.' AFTER `password`"); + } + + public function down() + { + $this->db->query("ALTER TABLE `users` DROP COLUMN `salt`"); + } + +} \ No newline at end of file diff --git a/application/models/users_model.php b/application/models/users_model.php index 3674064f..56f25031 100644 --- a/application/models/users_model.php +++ b/application/models/users_model.php @@ -25,15 +25,16 @@ function create_user() // Add user to users table $this->load->helper('hash_helper'); - $password = generateHash($password); + $hash = generateHash($password); - if ($password === false) { + if ($hash === false) { return false; } $this->db->insert('users', array( 'email' => $email, - 'password' => $password, + 'password' => $hash['encrypted'], + 'salt' => $hash['salt'], 'status' => 'active' )); @@ -48,16 +49,17 @@ function update_user() // Form input data $user_id = $this->input->post('userid'); $email = $this->input->post('emailaddress'); - $password = generateHash($this->input->post('password')); + $hash = generateHash($this->input->post('password')); $status = $this->input->post('status'); - if ($password !== false) { + if ($hash !== false) { // Add user to users table $this->db->update('users', array( 'email' => $emailaddress, - 'password' => $password, + 'password' => $hash['encrypted'], + 'salt' => $hash['salt'], 'status' => $status ), array( @@ -108,22 +110,33 @@ function check_user_credentials() $this->load->helper('hash_helper'); $email = $this->input->post('emailaddress', true); $password = $this->input->post('password', true); - $hash = generateHash($password); - if ($hash === false) { + + // Get user by email address + $user = $this->db->query("SELECT * FROM `users` WHERE email = '" . $email . "' LIMIT 1"); + + if ($user->num_rows() < 1) { return false; } - // Select user from database - // Have to look for both hash types - // so we can be backwards compatible with older versions - $user = $this->db->query(" - SELECT * FROM `users` - WHERE email = '" . $email . "' AND - (password = '" . md5($password) . "' OR password = '" . $hash . "') - "); + // Check passwords + $row = $user->row(); + $encrypted_password = $row->password; + $salt = $row->salt; + + // If salt exists, check it + // Else check old MD5 checksum + if (! empty($salt)) { + $hash = generateHash($password, $salt); + $match = (isset($hash['encrypted']) && $encrypted_password == $hash['encrypted']) ? true : false; + } + else { + $match = (md5($password) == $encrypted_password) ? true : false; + } + + // If a match, return array, else false + return ($match === true) ? $user->row_array() : false; - return ($user->num_rows() > 0) ? $user->row_array() : false; } diff --git a/application/views/changelog.php b/application/views/changelog.php index 2d9e45cc..c338c2f5 100644 --- a/application/views/changelog.php +++ b/application/views/changelog.php @@ -5,6 +5,11 @@

Changelog

A quick list of what's new. Posted immediately upon update.

+

0.3.8 - 15 January 2014

+ +

0.3.8 - 14 January 2014