Skip to content

Commit 47f02e1

Browse files
authored
Merge pull request #976 from kenjis/remove-supportOldDangerousPassword
refactor: remove supportOldDangerousPassword
2 parents 6518ffa + 2d4c315 commit 47f02e1

File tree

6 files changed

+26
-83
lines changed

6 files changed

+26
-83
lines changed

UPGRADING.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,13 @@
11
# Upgrade Guide
22

3+
## Version 1.0.0-beta.8 to 1.0.0
4+
5+
## Removed Deprecated Items
6+
7+
The [$supportOldDangerousPassword](#if-you-want-to-allow-login-with-existing-passwords)
8+
feature for backward compatiblity has been removed. The old passwords saved in
9+
Shield v1.0.0-beta.3 or earlier are no longer supported.
10+
311
## Version 1.0.0-beta.7 to 1.0.0-beta.8
412

513
### Mandatory Config Changes

phpstan-baseline.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -348,7 +348,7 @@
348348
];
349349
$ignoreErrors[] = [
350350
'message' => '#^Call to method PHPUnit\\\\Framework\\\\Assert\\:\\:assertInstanceOf\\(\\) with \'CodeIgniter\\\\\\\\Shield\\\\\\\\Result\' and CodeIgniter\\\\Shield\\\\Result will always evaluate to true\\.$#',
351-
'count' => 9,
351+
'count' => 8,
352352
'path' => __DIR__ . '/tests/Authentication/Authenticators/SessionAuthenticatorTest.php',
353353
];
354354
$ignoreErrors[] = [

src/Authentication/Authenticators/Session.php

Lines changed: 17 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -102,8 +102,8 @@ private function checkSecurityConfig(): void
102102
if ($securityConfig->csrfProtection === 'cookie') {
103103
throw new SecurityException(
104104
'Config\Security::$csrfProtection is set to \'cookie\'.'
105-
. ' Same-site attackers may bypass the CSRF protection.'
106-
. ' Please set it to \'session\'.'
105+
. ' Same-site attackers may bypass the CSRF protection.'
106+
. ' Please set it to \'session\'.'
107107
);
108108
}
109109
}
@@ -343,30 +343,19 @@ public function check(array $credentials): Result
343343
/** @var Passwords $passwords */
344344
$passwords = service('passwords');
345345

346-
// This is only for supportOldDangerousPassword.
347-
$needsRehash = false;
348-
349346
// Now, try matching the passwords.
350347
if (! $passwords->verify($givenPassword, $user->password_hash)) {
351-
if (
352-
! setting('Auth.supportOldDangerousPassword')
353-
|| ! $passwords->verifyDanger($givenPassword, $user->password_hash) // @phpstan-ignore-line
354-
) {
355-
return new Result([
356-
'success' => false,
357-
'reason' => lang('Auth.invalidPassword'),
358-
]);
359-
}
360-
361-
// Passed with old dangerous password.
362-
$needsRehash = true;
348+
return new Result([
349+
'success' => false,
350+
'reason' => lang('Auth.invalidPassword'),
351+
]);
363352
}
364353

365354
// Check to see if the password needs to be rehashed.
366355
// This would be due to the hash algorithm or hash
367356
// cost changing since the last time that a user
368357
// logged in.
369-
if ($passwords->needsRehash($user->password_hash) || $needsRehash) {
358+
if ($passwords->needsRehash($user->password_hash)) {
370359
$user->password_hash = $passwords->hash($givenPassword);
371360
$this->provider->save($user);
372361
}
@@ -661,10 +650,10 @@ public function startLogin(User $user): void
661650
if ($userId !== null) {
662651
throw new LogicException(
663652
'The user has User Info in Session, so already logged in or in pending login state.'
664-
. ' If a logged in user logs in again with other account, the session data of the previous'
665-
. ' user will be used as the new user.'
666-
. ' Fix your code to prevent users from logging in without logging out or delete the session data.'
667-
. ' user_id: ' . $userId
653+
. ' If a logged in user logs in again with other account, the session data of the previous'
654+
. ' user will be used as the new user.'
655+
. ' Fix your code to prevent users from logging in without logging out or delete the session data.'
656+
. ' user_id: ' . $userId
668657
);
669658
}
670659

@@ -749,18 +738,18 @@ public function login(User $user): void
749738
if ($this->getIdentitiesForAction($user) !== []) {
750739
throw new LogicException(
751740
'The user has identities for action, so cannot complete login.'
752-
. ' If you want to start to login with auth action, use startLogin() instead.'
753-
. ' Or delete identities for action in database.'
754-
. ' user_id: ' . $user->id
741+
. ' If you want to start to login with auth action, use startLogin() instead.'
742+
. ' Or delete identities for action in database.'
743+
. ' user_id: ' . $user->id
755744
);
756745
}
757746
// Check auth_action in Session
758747
if ($this->getSessionKey('auth_action')) {
759748
throw new LogicException(
760749
'The user has auth action in session, so cannot complete login.'
761-
. ' If you want to start to login with auth action, use startLogin() instead.'
762-
. ' Or delete `auth_action` and `auth_action_message` in session data.'
763-
. ' user_id: ' . $user->id
750+
. ' If you want to start to login with auth action, use startLogin() instead.'
751+
. ' Or delete `auth_action` and `auth_action_message` in session data.'
752+
. ' user_id: ' . $user->id
764753
);
765754
}
766755

src/Authentication/Passwords.php

Lines changed: 0 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -90,21 +90,6 @@ public function verify(string $password, string $hash): bool
9090
return password_verify($password, $hash);
9191
}
9292

93-
/**
94-
* Verifies a password against a previously hashed password.
95-
*
96-
* @param string $password The password we're checking
97-
* @param string $hash The previously hashed password
98-
*
99-
* @deprecated This is only for backward compatibility.
100-
*/
101-
public function verifyDanger(string $password, string $hash): bool
102-
{
103-
return password_verify(base64_encode(
104-
hash('sha384', $password, true)
105-
), $hash);
106-
}
107-
10893
/**
10994
* Checks to see if a password should be rehashed.
11095
*/

src/Config/Auth.php

Lines changed: 0 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -374,16 +374,6 @@ class Auth extends BaseConfig
374374
*/
375375
public int $hashCost = 12;
376376

377-
/**
378-
* If you need to support passwords saved in versions prior to Shield v1.0.0-beta.4.
379-
* set this to true.
380-
*
381-
* See https://github.com/codeigniter4/shield/security/advisories/GHSA-c5vj-f36q-p9vg
382-
*
383-
* @deprecated This is only for backward compatibility.
384-
*/
385-
public bool $supportOldDangerousPassword = false;
386-
387377
/**
388378
* ////////////////////////////////////////////////////////////////////
389379
* OTHER SETTINGS

tests/Authentication/Authenticators/SessionAuthenticatorTest.php

Lines changed: 0 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,6 @@
2121
use CodeIgniter\Shield\Entities\User;
2222
use CodeIgniter\Shield\Exceptions\LogicException;
2323
use CodeIgniter\Shield\Models\RememberModel;
24-
use CodeIgniter\Shield\Models\UserIdentityModel;
2524
use CodeIgniter\Shield\Models\UserModel;
2625
use CodeIgniter\Shield\Result;
2726
use CodeIgniter\Test\Mock\MockEvents;
@@ -313,34 +312,6 @@ public function testCheckSuccess(): void
313312
$this->assertSame($this->user->id, $foundUser->id);
314313
}
315314

316-
public function testCheckSuccessOldDangerousPassword(): void
317-
{
318-
/** @var Auth $config */
319-
$config = config('Auth');
320-
$config->supportOldDangerousPassword = true; // @phpstan-ignore-line
321-
322-
fake(
323-
UserIdentityModel::class,
324-
[
325-
'user_id' => $this->user->id,
326-
'type' => Session::ID_TYPE_EMAIL_PASSWORD,
327-
'secret' => 'foo@example.com',
328-
'secret2' => '$2y$10$WswjNNcR24cJvsXvBc5TveVVVQ9/EYC0eq.Ad9e/2cVnmeSEYBOEm',
329-
]
330-
);
331-
332-
$result = $this->auth->check([
333-
'email' => 'foo@example.com',
334-
'password' => 'passw0rd!',
335-
]);
336-
337-
$this->assertInstanceOf(Result::class, $result);
338-
$this->assertTrue($result->isOK());
339-
340-
$foundUser = $result->extraInfo();
341-
$this->assertSame($this->user->id, $foundUser->id);
342-
}
343-
344315
public function testAttemptCannotFindUser(): void
345316
{
346317
$result = $this->auth->attempt([

0 commit comments

Comments
 (0)