0

CakePHP version: 3.3.5

I'm building a simple system using which users can login (using a email and password) and after login they can change their password.

For this, I'm using DefaultPasswordHasher

I had a few users already in my db. Their record were already present. So when I did the login function, it worked. I compared the password the user enters with the hased password already present in the db. The check was successful and user was able to login.

Now after login, I wrote change password function, which updated the user password. New hash string replaced the old password string but when I try to login again, login fails.

I will share my controller here. It's pretty basic.

namespace Api\Controller;
use Cake\Utility\Security;
use Cake\Utility\Hash;
use Cake\Auth\DefaultPasswordHasher;
use Api\Controller\AppController;

class LoginController extends AppController
{
    public function initialize()
    {
        parent::initialize();
        $this->loadComponent('RequestHandler');
    }

    //Function to reset the password
    public function resetPassword()
    {
        $pass   = $this->request->data['pass'];
        $hasher = new DefaultPasswordHasher();
        $hashedPass = $hasher->hash($pass);

        $this->loadModel('Login');
        //save it to db
        $responseArray      = $this->Login->resetPassword($hashedPass); 
        $this->set(compact('responseArray'));
        $this->set('_serialize', ['responseArray']);
    }

     //Function to login
     public function login()
     {
        if ($this->request->is('post')) 
        {
            //Password submitted via form
            $pass   = $this->request->data['pass'];

            //Hashed password fetched from db via a function call
            $actualPassword = 'hashedPasswordString'

            //Compare password submitted and hash from db
            if($this->checkPassword($pass,$actualPassword))
            {
                $result = 'password matched';
            }
            else
            {
                $result = 'password doesnot match';
            }
        }
        $this->set(compact('result'));
        $this->set('_serialize', ['result']);       
     }

    //Function to compare password and hash
    public function checkPassword($passedPassword , $actualPassword) 
    {
        if ((new DefaultPasswordHasher)->check($passedPassword, $actualPassword)) {
            return true;
        } else {
            return false;
        }
    }

}

Can anyone tell me why the passwords don't match. I'm new to CakePHP framework. Thanks in advance!

Smokey
  • 1,857
  • 6
  • 33
  • 63
  • What exactly does `$responseArray = $this->Login->resetPassword($hashedPass);` do? – Marijan Apr 05 '17 at 12:54
  • 1
    Why don't you use the authentication component that ships with CakePHP? Also please don't remove code that is crucial for things to work, like the code that fetches the current password, you might think/know that it works as expcted, but that might not be the case, and readers can't know without seeing it. That being said, can you present any debugging results? Is the value read from the password identical to the value stored in the database? Are the new hashes being stored properly in the first place (actually hashed, not cut off, not double/triple/.. hashed)? ... – ndm Apr 05 '17 at 12:55
  • Tip: [Passwordable behavior](https://github.com/dereuromark/cakephp-tools/blob/master/docs/Behavior/Passwordable.md) might be easier, as it requires only a single line (to add the behavior) in your edit actions :) – mark Apr 05 '17 at 13:07

2 Answers2

1

This is what my reset password workflow looks like. I cannot tell from your post what your entity and table look like.

Anytime posted data is converted into a user entity it will now be hashed

Admin/UsersController.php

public function password($id = null)
{
    $user = $this->Users->get($id, [
        'fields' => ['id', 'first_name', 'last_name', 'username']
    ]);
    if ($this->request->is('put')) {
        if ($this->request->data['password'] == $this->request->data['password2']) {
            $this->Users->patchEntity($user, ['password' => $this->request->data['password']]);
            $this->Users->save($user);
            $this->Flash->success('Password has been updated');
            return $this->redirect('/admin/users/password/' . $id);
        } else {
            $this->Flash->error('Passwords do not match');
        }
    }

    $this->set(compact('user'));
}

Model/Entity/User.php

protected function _setPassword($password)
{
    if (strlen($password) > 0) {
        return (new DefaultPasswordHasher)->hash($password);
    }
}
styks
  • 3,193
  • 1
  • 23
  • 36
0
public function changePassword(){
    if ($this->request->is('post')) {
        $data = $this->request->data();
        $res['success'] = FALSE;
        $user = $this->Users->get($this->Auth->user('id'))->toArray();
        if ((new DefaultPasswordHasher)->check($data['oldPassword'], $user['password'])) {
            if($data['newPassword'] == $data['confPassword']){
                $userEntity = $this->Users->get($this->Auth->user('id'));
                $userEntity->password = $data['newPassword'];
                if($this->Users->save($userEntity)){
                    $res['success'] = TRUE;
                    $res['message'] = 'Password Changed Successfully.';
                }
            }else{
                $res['success'] = FALSE;
                $res['message'] = 'Confirm password is not same as new password. please enter both password again!!';
            }

        }else{
             $res['success'] = FALSE;
             $res['message'] = 'Your old password is wrong!';
        }
        echo json_encode($res);
        exit();

    }
}
Govind Jha
  • 123
  • 2
  • 9