4

So, I have setup in my di, the security component, as such...

--services.php--
$di->set('security', function(){
    $security = new Phalcon\Security();
    //Set the password hashing factor to 11 rounds
    $security->setWorkFactor(11);
    return $security;
}, true);

--Custom Auth Library (auth.php)--
    $user = Users::findFirstByEmail($login);
    if ($user) {
        if ($this->security->checkHash($password, $user->password)) {
           return true;
        }
    }
    return false;

but, for some reason, this always returns false...so, to debug, I tried using PHP's password_verify function, the following code is in my view directly:

//Returns false
var_dump($this->security->checkHash('password', '$2a$12$aSa7zLEd24zjh2aoUasxd.hbxIm8IQ0/vMf/8p4LTYI3VtZMJ62Pe'));
//Returns True
var_dump(password_verify('password', '$2a$12$aSa7zLEd24zjh2aoUasxd.hbxIm8IQ0/vMf/8p4LTYI3VtZMJ62Pe'));

What am I missing???

Justin E
  • 1,252
  • 16
  • 30
  • If I didn't provide enough information, please let me know. – Justin E Jan 30 '14 at 21:06
  • 1
    FYI: You don't need to `echo var_dump`. `var_dump` doesn't return anything, it prints to the screen. – gen_Eric Jan 30 '14 at 21:09
  • I realize that, but I already typed var_dump to debug this in the controller, and model, and already had an echo line...it is counter-productive, but for debugging, it does no harm. At least, I don't think it does, but good point. – Justin E Jan 30 '14 at 21:10
  • It does no harm, just felt like pointing it out :) – gen_Eric Jan 30 '14 at 21:10
  • eh, corrected anyways – Justin E Jan 30 '14 at 21:11
  • How are you hashing the passwords to begin with? With `password_hash` or `$this->security->hash`? – gen_Eric Jan 30 '14 at 21:12
  • `$this->security->hash("password");` then I stored that value in the db manually, and attempted to verify using `$this->security->checkHash();` – Justin E Jan 30 '14 at 21:13
  • but that shouldn't matter, according to: https://github.com/phalcon/cphalcon/issues/1912 – Justin E Jan 30 '14 at 21:15
  • Try to set it to 12 rounds instead of 11. – gen_Eric Jan 30 '14 at 21:16
  • did that already too, in fact, that is what it was set at initially, and I adjusted to 11 afterwards to see if maybe that had something to do with it. – Justin E Jan 30 '14 at 21:17
  • I thought the "12" in `$2a$12$` was the cost, but I could be wrong. If that didn't help, then I'm not sure, sorry. – gen_Eric Jan 30 '14 at 21:18
  • just switched it back to 12 with the same problem. – Justin E Jan 30 '14 at 21:19
  • 2
    @JustinE just as sanity check, you could try running [this script](http://pastebin.com/6tNRgyXg). If you get two true values from that, your problem might be caused by something else in your code. – Stecman Jan 30 '14 at 21:59

3 Answers3

2

Okay, so it seems that if I set both the hash, and the password to a variable, it parses both statements correctly.

I appreciate all of the help, but this was the final solution.

$password = $pass;
$hash = '$2a$12$lDL2eQ1GLJsJhKgPvU6agOnHpwNSBYPtWHF/O/aTvyISzI.ugjyLC';

var_dump($this->security->checkHash($password, $hash));
var_dump(password_verify($password, $hash));
Justin E
  • 1,252
  • 16
  • 30
  • What is the point of using this line $password = $pass; ? Thank you – 0xh8h Jan 31 '15 at 04:10
  • That was part of a more complex hashing algorithm that was applied to the password after php hashed it. To simplify the question, I omitted these details. It doesn't hurt, and requires almost no processing power. – Justin E Jan 31 '15 at 04:14
  • I'm using Bcrypt for my api as well, but after I setup the di, and use $password_hash = $this->security->hash($password); echo json_encode($password_hash); It doesn't echo anything, just blank. But when I use sha1, it echo the right hash. Did I do anything wrong? Thank you – 0xh8h Jan 31 '15 at 04:28
1

This might be related to Security::checkHash returns true when using with a non-bcrypt hash, which has been fixed a few days ago.

Looking at the code, the problem might be within this block, can you verify that the user model gets loaded, so does his hashed password?

$user = Users::findFirstByEmail($login);
if ($user) {
    if ($this->security->checkHash($password, $user->password)) {
       return true;
    }
}
return false;
Ian Bytchek
  • 8,804
  • 6
  • 46
  • 72
  • It does, because I can remove `if ($this->security->checkHash($password, $user->password)) { return true; }` and add return `$user->password`, and it echos the hashed password. – Justin E Jan 31 '14 at 00:07
  • Not exactly related to my issue, as I am positive, and have verified it is getting the correct hash from the database. – Justin E Jan 31 '14 at 00:16
1

In case someone gets here and none of the answers above seem to help, and you keep feeling more and more dumb, check the password column length in your users table!!. In my case it was a varchar(50) and the hash gives you 60 chars.

Doing this (pointed above) http://pastebin.com/6tNRgyXg, helped me realise that something other than the code was wrong.

Nicolas Mariano Obregon
  • 383
  • 2
  • 9
  • My password length was set to max length of a varchar which was 255 characters so that was not the issue. Still a good thing to check...+1 – Justin E Oct 29 '15 at 16:25