Merge pull request #6 from fusionresolveit/rework_auth

Rework auth of app
fusionresolveit · Dec 23, 2024 · a6d6a16 · a6d6a16
2 parents 5e4e3f5 + 201c8d2
commit a6d6a16
Show file tree

Hide file tree

Showing 3 changed files with 92 additions and 19 deletions.
diff --git a/db/migrations/20241102194124_fillemptydatabase_migration.php b/db/migrations/20241102194124_fillemptydatabase_migration.php
@@ -38,10 +38,10 @@ public function change(): void
       $item = $this->table('users');
       $data = [
         [
-          'name' => 'admin@foo.com',
+          'name' => 'admin',
           'entity_id' => 1,
           'lastname' => 'Administrator',
-          'password' => '',
+          'password' => \App\v1\Controllers\Token::generateDBHashPassword('adminIT'),
         ]
       ];
       $item->insert($data)
@@ -79,6 +79,17 @@ public function change(): void
       }
       $item->insert($data)
            ->saveData();
+
+      // Add profile to admin
+      $item = $this->table('profile_user');
+      $data = [
+        [
+          'user_id'    => 1,
+          'profile_id' => 1,
+        ]
+      ];
+      $item->insert($data)
+           ->saveData();
     }
   }
 }
diff --git a/src/v1/Controllers/Token.php b/src/v1/Controllers/Token.php
@@ -13,36 +13,63 @@ final class Token
    /**
     * Check is a password match the stored hash
     *
-    * @since 0.85
-    *
     * @param string $pass Password (pain-text)
     * @param string $hash Hash
     *
     * @return boolean
     */
-  public static function checkPassword($pass, $hash)
+  public static function checkPassword($password, $hash)
   {
-    $tmp = password_get_info($hash);
-    $verify = false;
-
-    if (isset($tmp['algo']) && $tmp['algo'])
+    if (is_null($password) || is_null($hash))
     {
-      $verify = password_verify($pass, $hash);
+      return false;
     }
-    elseif (strlen($hash) == 32)
+    if (!strstr($hash, '.'))
     {
-      $verify = md5($pass) === $hash;
+      return false;
     }
-    elseif (strlen($hash) == 40)
+
+    $spl = explode('.', $hash);
+    if (count($spl) !== 2 || empty($spl[0]) || empty($spl[1]))
     {
-      $verify = sha1($pass) === $hash;
+      return false;
     }
-    else
+    $hashpassword = self::hashPasword($password, hex2bin($spl[0]));
+
+    if ($hashpassword === $spl[1])
     {
-      $salt = substr($hash, 0, 8);
-      $verify = ($salt . sha1($salt . $pass) === $hash);
+      return true;
     }
-    return $verify;
+    return false;
+  }
+
+  public static function generateSalt()
+  {
+    $salt = random_bytes(SODIUM_CRYPTO_PWHASH_SALTBYTES);
+    return $salt;
+  }
+
+  // recommandations of OWASP: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
+  public static function hashPasword($password, $salt)
+  {
+    // Using bin2hex to keep output readable
+    return bin2hex(
+      sodium_crypto_pwhash(
+        32,
+        $password,
+        $salt,
+        SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
+        SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE,
+        SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13
+      )
+    );
+  }
+
+  public static function generateDBHashPassword($password)
+  {
+    $salt = self::generateSalt();
+    $hash = self::hashPasword($password, $salt);
+    return bin2hex($salt) . '.' . $hash;
   }
 
   public function generateJWTToken(
@@ -97,7 +124,6 @@ public function generateJWTToken(
       header('Location: ' . $basePath);
       exit();
     }
-
     $now = new DateTime();
     $future = new DateTime("+2000 minutes");
     // For test / DEBUG

diff --git a/tests/unit/v1/Controllers/TokenTest.php b/tests/unit/v1/Controllers/TokenTest.php
@@ -0,0 +1,36 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\unit\v1\Controllers;
+
+use PHPUnit\Framework\TestCase;
+use PHPUnit\Framework\Attributes\CoversClass;
+use PHPUnit\Framework\Attributes\DataProvider;
+
+#[CoversClass('\App\v1\Controllers\Token')]
+
+final class TokenTest extends TestCase
+{
+  public static function checkPawwsordProvider(): array
+  {
+    return [
+      ['adminIT', 'c58a5addefacdd3629c6a960ba7f5a08.da2b2a51e01cd89edc6d58a7b1878933ea788ce51e0336a15dc597f92d71d18f', true],
+      ['admin IT', 'c58a5addefacdd3629c6a960ba7f5a08.da2b2a51e01cd89edc6d58a7b1878933ea788ce51e0336a15dc597f92d71d18f', false],
+      ['adminIT', 'c88a5addefacdd3629c6a960ba7f5a08.da2b2a51e01cd89edc6d58a7b1878933ea788ce51e0336a15dc597f92d71d18f', false],
+      ['adminIT', 'c58a5addefacdd3629c6a960ba7f5a08.da2b2a51e01cd89edc6d58a7b1878933eb788ce51e0336a15dc597f92d71d18f', false],
+      ['adminIT', 'c58a5addefacdd3629c6a960ba7f5a08.', false],
+      ['adminIT', null, false],
+      ['adminIT', '', false],
+      ['adminIT', '.', false],
+      ['adminIT', 'c58a5addefacdd3629c6a960ba7f5a08.da2b2a51e01cd89edc6d58a7b1878933ea788ce51e0336a15dc597f92d71d18f.test', false],
+    ];
+  }
+
+  #[DataProvider('checkPawwsordProvider')]
+  public function testCheckPassword($password, $hash, $expected)
+  {
+    $state = \App\v1\Controllers\Token::checkPassword($password, $hash);
+    $this->assertEquals($expected, $state);
+  }
+}