ZfzUser Authentication Always fails

Question

I have implemented ZfcUser in my application. The problem is that the authentication always fails even if the password is correct.

I have digged into the problem. What I have noticed is that, the application retrieves password hash from the password and pass it to the Bcrypt verify method.

Here is the code from Zend

if (!$bcrypt->verify($credential, $userObject->getPassword())) {
    // Password does not match
    $e->setCode(AuthenticationResult::FAILURE_CREDENTIAL_INVALID)
      ->setMessages(array('Supplied credential is invalid.'));
    $this->setSatisfied(false);
    return false;
}

Now the bcrypt verify method works as follows.

public function verify($password, $hash)
{
    $result = crypt($password, $hash);
    return Utils::compareStrings($hash, $result);
}

my password is 'admin123', the generated hash saved for it in database is "$2y$14$9QsDD3.T3xwCnZsMsiBft.fwLewL.0L5pyViAJY0EbNz0ECIGDi5u"

but I see that it will never match, because the verify method uses the Hash value as salt. I am doing something wrong, or is there some bug in the framework/?

the code used to setup the password in my User Entity is

public function setPassword($password)
{
    $bcrypt = new Bcrypt();
    $bcrypt->setCost(14);
    $this->password = $bcrypt->create($password);
}

Answer 1

I asked exactly the same question here.

It turns out that crypt can use the hash. It will break it down in usable pieces and then it will use appropriate part of it as a salt, so there is no problem to pass whole hash as second parameter.

Did you actually try? Could it be that the problem is somewhere else.