Welcome Guest, Not a member yet? Register   Sign In
Mythauth - update password form
#4

(03-21-2021, 08:49 PM)InsiteFX Wrote: Because if you look at the code you will see that it is also creating a token and cookie.
On login it looks for that token and cookie.

Best to look at the Myth/Auth code and see what it is doing.

SEE: Entities/User.php - setPassword() method.

Thanks for adapting your post.

I had already taken a look at the function and adapted my password_hash() function based on that before. However, I can't find the creation of a token or cookie anywhere here.

I have attached the code once below and added my "explanations". Am I misunderstanding something here?

In any case, thank you very much for your help!

Code:
public function setPassword(string $password) {

        //Getting the config from the Auth.php file including the hash algorithm I want to use.

        $config = config('Auth');

        //Check if I want to use ARGON as the hash algorithm. So everything in this if clause is only relevant for the
        //use of ARGON.  

        if (
            (defined('PASSWORD_ARGON2I') && $config->hashAlgorithm == PASSWORD_ARGON2I)
                ||
            (defined('PASSWORD_ARGON2ID') && $config->hashAlgorithm == PASSWORD_ARGON2ID)
            )
        {
            $hashOptions = [
                'memory_cost' => $config->hashMemoryCost,
                'time_cost'   => $config->hashTimeCost,
                'threads'     => $config->hashThreads
                ];
        }
        //If I do not use ARGON, in the else clause the music plays, because I use PASSWORT_DEFAULT.
        //So first the costs are defined and then the password is hashed. The code after that is only relevant
        //if the reset function is used (in my situation not the case).
        else
        {
            $hashOptions = [
                'cost' => $config->hashCost
                ];
        }

        $this->attributes['password_hash'] = password_hash(
            base64_encode(
                hash('sha384', $password, true)
            ),
            $config->hashAlgorithm,
            $hashOptions
        );

        /*
            Set these vars to null in case a reset password was asked.
            Scenario:
                user (a *dumb* one with short memory) requests a
                reset-token and then does nothing => asks the
                administrator to reset his password.
            User would have a new password but still anyone with the
            reset-token would be able to change the password.
        */
        $this->attributes['reset_hash'] = null;
        $this->attributes['reset_at'] = null;
        $this->attributes['reset_expires'] = null;
    }
Reply


Messages In This Thread
Mythauth - update password form - by schwaluck - 03-21-2021, 08:02 AM
RE: Mythauth - update password form - by InsiteFX - 03-21-2021, 08:49 PM
RE: Mythauth - update password form - by schwaluck - 03-22-2021, 01:11 AM
RE: Mythauth - update password form - by InsiteFX - 03-22-2021, 10:43 AM
RE: Mythauth - update password form - by ikesela - 03-22-2021, 10:37 PM
RE: Mythauth - update password form - by fuzna28 - 03-31-2021, 08:49 AM
RE: Mythauth - update password form - by fuzna28 - 04-02-2021, 06:43 AM
RE: Mythauth - update password form - by kilishan - 06-21-2021, 07:09 AM
RE: Mythauth - update password form - by ikesela - 06-21-2021, 07:19 AM



Theme © iAndrew 2016 - Forum software by © MyBB