Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Sentry activation_hash/Password validation FAIL !
  • rocc777rocc777
    Hi my name is dustin. Currently i check the auth package "Sentry" which is very
    recommend to my requiremends. I use it as codebase. I mean i have found a big logical mistake by the author of Sentry. in file user.php line 915 - Method "check_password" The method has 2 input parameters. At first he grabs the salt of the activation_hesh. The salt is 16-Char long.
    Then he uses the salt and activation_hesh/password to build a new hash on the basis of the complete password/activation_hesh with an new random salt. This is very wrong and results that the password can be never matched. 
    /**
  * Checks the given password to see if it matches the one in the database.
  *
  * @param   string  Password to check
  * @param   string  Password type
  * @return  bool
  */
 public function check_password($password, $field = 'password')
 {
  // grabs the salt from the current password
  $salt = substr($this->user[$field], 0, 16);

  // hash the inputted password
  $password = $salt.$this->hash_password($password, $salt);

 
  // check to see if passwords match
  return $password == $this->user[$field];
 }
    I have replaced it with:
    /**
  * Checks the given password to see if it matches the one in the database.
  *
  * @param   string  Password to check
  * @param   string  Password type
  * @return  bool
  */
 public function check_password($password, $field = 'password')
 {
  // check to see if passwords match
  return $password === $this->user[$field];
 }

    ADDED!!!

    If you want to create a new user by 
    $user = new Sentry\Sentry_User();
$added = $user->create(array('email'=>'foobar@gmail.de','password'=>'foobar'),$activation = true);
$user -> add_to_group('test');
    and now add this member to a group thats dont work!!!
    Solution:
    The method 'add_to_group' in user.php need the filled 'user' variable which is loaded when you create a new instance with a id or email. But if you want to create a new user this 'user' variable is empty.
    /**
  * Create's a new user.  Returns user 'id'.
  *
  * @param   array  User array for creation
  * @return  int
  * @throws  SentryUserException
  */
 public function create(array $user, $activation = false)
 {
  /*
   *  code shortened...
   */


  if ($activation)
  {
  
   if ($rows_affected > 0)
   {
    // ***Pass the user information to the global user variable so other methods like 'add_to_group' can use this**//
    $this->user = $metadata;
    
    return array(
     'user_id'   => (int) $insert_id,
     'hash' => base64_encode($user[$this->login_column]).'/'.$hash
    );
   }

   return false;
  }
  return ($rows_affected > 0) ? (int) $insert_id : false;
 }
  • HarroHarro
    Sentry for FuelPHP is not actively maintained by the author anymore. If you found a bug and have fixed it, fork the repository on github, fix it there, and send the author a pull request. I'm pretty sure he will accept it, which allows other to benefit from your fix too...
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion