simplify internal authentication code and bump default algo to SSHA-512

2025-12-13 08:15:55 +00:00 · 2021-03-01 15:24:18 +03:00
parent 320503dd39
commit 6359259dbb
10 changed files with 152 additions and 169 deletions
--- a/classes/pref/prefs.php
+++ b/classes/pref/prefs.php
@@ -1038,19 +1038,6 @@ class Pref_Prefs extends Handler_Protected {
 		}
 	}

-	static function _is_default_password() {
-		$authenticator = PluginHost::getInstance()->get_plugin($_SESSION["auth_module"]);
-
-		if ($authenticator &&
-                method_exists($authenticator, "check_password") &&
-                $authenticator->check_password($_SESSION["uid"], "password")) {
-
-			return true;
-		}
-
-		return false;
-	}
-
 	function otpdisable() {
 		$password = clean($_REQUEST["password"]);

@@ -1404,12 +1391,6 @@ class Pref_Prefs extends Handler_Protected {
 		<?php
 	}

-	private function _encrypt_app_password($password) {
-		$salt = substr(bin2hex(get_random_bytes(24)), 0, 24);
-
-		return "SSHA-512:".hash('sha512', $salt . $password). ":$salt";
-	}
-
 	function deleteAppPassword() {
 		$ids = explode(",", clean($_REQUEST['ids']));
 		$ids_qmarks = arr_qmarks($ids);
@@ -1423,7 +1404,8 @@ class Pref_Prefs extends Handler_Protected {
 	function generateAppPassword() {
 		$title = clean($_REQUEST['title']);
 		$new_password = make_password(16);
-		$new_password_hash = $this->_encrypt_app_password($new_password);
+		$new_salt = UserHelper::get_salt();
+		$new_password_hash = UserHelper::hash_password($new_password, $new_salt, UserHelper::HASH_ALGOS[0]);

 		print_warning(T_sprintf("Generated password <strong>%s</strong> for %s. Please remember it for future reference.", $new_password, $title));

@@ -1432,7 +1414,7 @@ class Pref_Prefs extends Handler_Protected {
    		 VALUES
    		    (?, ?, ?, NOW(), ?)");

-		$sth->execute([$title, $new_password_hash, Auth_Base::AUTH_SERVICE_API, $_SESSION['uid']]);
+		$sth->execute([$title, "$new_password_hash:$new_salt", Auth_Base::AUTH_SERVICE_API, $_SESSION['uid']]);

 		$this->appPasswordList();
 	}
--- a/classes/pref/users.php
+++ b/classes/pref/users.php
@@ -107,7 +107,7 @@ class Pref_Users extends Handler_Administrative {

 		function editSave() {
 			$login = clean($_REQUEST["login"]);
-			$uid = clean($_REQUEST["id"]);
+			$uid = (int) clean($_REQUEST["id"]);
 			$access_level = (int) clean($_REQUEST["access_level"]);
 			$email = clean($_REQUEST["email"]);
 			$password = clean($_REQUEST["password"]);
@@ -118,19 +118,13 @@ class Pref_Users extends Handler_Administrative {
 			// forbid renaming admin
 			if ($uid == 1) $login = "admin";

-			if ($password) {
-				$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
-				$pwd_hash = encrypt_password($password, $salt, true);
-				$pass_query_part = "pwd_hash = ".$this->pdo->quote($pwd_hash).",
-					salt = ".$this->pdo->quote($salt).",";
-			} else {
-				$pass_query_part = "";
-			}
-
-			$sth = $this->pdo->prepare("UPDATE ttrss_users SET $pass_query_part login = LOWER(?),
-				access_level = ?, email = ?, otp_enabled = false WHERE id = ?");
+			$sth = $this->pdo->prepare("UPDATE ttrss_users SET login = LOWER(?),
+					access_level = ?, email = ?, otp_enabled = false WHERE id = ?");
 			$sth->execute([$login, $access_level, $email, $uid]);

+			if ($password) {
+				UserHelper::reset_password($uid, false, $password);
+			}
 		}

 		function remove() {
@@ -153,8 +147,8 @@ class Pref_Users extends Handler_Administrative {
 		function add() {
 			$login = clean($_REQUEST["login"]);
 			$tmp_user_pwd = make_password();
-			$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
-			$pwd_hash = encrypt_password($tmp_user_pwd, $salt, true);
+			$salt = UserHelper::get_salt();
+			$pwd_hash = UserHelper::hash_password($tmp_user_pwd, $salt, UserHelper::HASH_ALGOS[0]);

 			if (!$login) return; // no blank usernames