Yes, sorry, I have a text file of a few fake passwords that I've been copy/pasting to test and just grabbed a different one this time.
The login method already has a check on the password matching, and the function used is basically just password_verify but also fails over to crypt on PHP < 5.5.
PHP Code:
public function check_passwd( $hash, $password )
{
if( is_php('5.5') && password_verify( $password, $hash ) ){
return TRUE;
}else if( $hash === crypt( $password, $hash ) ){
return TRUE;
}
return FALSE;
}
So now I have two checks on the password validating in the login method:
PHP Code:
// Confirm user
if( ! $this->_user_confirmed( $auth_data, $requirement, $passwd ) )
{
// Login failed ...
log_message(
'debug',
"\n user is banned = " . ( $auth_data->banned === 1 ? 'yes' : 'no' ) .
"\n password in database = " . $auth_data->passwd .
"\n supplied password match = " . ($this->check_passwd( $auth_data->passwd, $passwd ) ? "True" : "False") .
"\n Password Validation = " . (password_verify($auth_data->passwd, $passwd) ? "Passed" : "Failed") .
"\n required level or role = " . ( is_array( $requirement ) ? implode( $requirement ) : $requirement ) .
"\n auth level in database = " . $auth_data->auth_level .
"\n auth level equivalant role = " . $this->roles[$auth_data->auth_level]
);
}
Logs:
Code:
DEBUG - 2020-08-04 23:20:26 -->
password stored in DB = $2y$11$8oe4JRwsm1LK1S8MqPd0sOQobASUdOIzx.KeFXO5bT.Tm.Ar5h86.
DEBUG - 2020-08-04 23:20:27 -->
Password Validation = Passed
DEBUG - 2020-08-04 23:21:35 -->
string = admin
password = 1aA!@#%^&*()-_=+{};:,<.>
DEBUG - 2020-08-04 23:21:36 -->
user is banned = no
password in database = $2y$11$8oe4JRwsm1LK1S8MqPd0sOQobASUdOIzx.KeFXO5bT.Tm.Ar5h86.
supplied password match = False
Password Validation = Failed
required level or role = 1
auth level in database = 9
auth level equivalant role = admin