From ab1ec1721c11a109546e162f87488db7dcfb9108 Mon Sep 17 00:00:00 2001 From: Michael Andreen Date: Sat, 14 Jan 2017 13:12:44 +0100 Subject: [PATCH] Properly salt passwords --- database/functions/user_password.sql | 17 +++++++++++++++++ lib/NDWeb/Auth/User.pm | 14 ++++++++++++-- lib/NDWeb/Controller/Settings.pm | 12 ++++++++---- 3 files changed, 37 insertions(+), 6 deletions(-) create mode 100644 database/functions/user_password.sql diff --git a/database/functions/user_password.sql b/database/functions/user_password.sql new file mode 100644 index 0000000..889e49e --- /dev/null +++ b/database/functions/user_password.sql @@ -0,0 +1,17 @@ +CREATE OR REPLACE FUNCTION user_password() RETURNS trigger + AS $_X$ +DECLARE +BEGIN + IF COALESCE(NEW.password <> OLD.password,TRUE) AND + NOT NEW.password SIMILAR TO '$2a$\d+$[a-zA-Z0-9./]+' + THEN + NEW.password := crypt(NEW.password,gen_salt('bf',10)); + END IF; + RETURN NEW; +END; +$_X$ LANGUAGE plpgsql; + +/* +alter table users alter COLUMN password drop not null ; +CREATE TRIGGER user_password BEFORE UPDATE OR INSERT ON users FOR EACH ROW EXECUTE PROCEDURE user_password() +*/ diff --git a/lib/NDWeb/Auth/User.pm b/lib/NDWeb/Auth/User.pm index c5738c3..a5e8366 100644 --- a/lib/NDWeb/Auth/User.pm +++ b/lib/NDWeb/Auth/User.pm @@ -102,10 +102,20 @@ sub from_session { sub check_password { my ( $self, $password ) = @_; my $query = $self->{c}->model->prepare(q{ - SELECT uid FROM users WHERE uid = ? AND password = md5(?) + SELECT uid FROM users WHERE uid = $1 AND password = crypt($2,password) }); $query->execute($self->id,$password); - if ($query->rows == 1){ + + if ($query->rows == 0) { + $query = $self->{c}->model->prepare(q{ + UPDATE users SET password = $2 + WHERE uid = $1 AND password = md5($2) + RETURNING uid + }); + $query->execute($self->id,$password); + } + + if ($query->rows == 1) { return $self; } return; diff --git a/lib/NDWeb/Controller/Settings.pm b/lib/NDWeb/Controller/Settings.pm index 5780c2b..a9aaf96 100644 --- a/lib/NDWeb/Controller/Settings.pm +++ b/lib/NDWeb/Controller/Settings.pm @@ -112,12 +112,16 @@ sub changePassword : Local { my ( $self, $c ) = @_; my $dbh = $c->model; - my $query = $dbh->prepare(q{UPDATE users SET password = MD5($1) - WHERE password = MD5($2) AND uid = $3 + if (length $c->req->param('pass') < 4) { + $c->flash(error => "Your password need to be at least 4 characters"); + } else { + my $query = $dbh->prepare(q{UPDATE users SET password = $1 + WHERE password = crypt($2,password) AND uid = $3 }); - $query->execute($c->req->param('pass'),$c->req->param('oldpass'),$c->user->id); + $query->execute($c->req->param('pass'),$c->req->param('oldpass'),$c->user->id); - $c->flash(error => "Old password was invalid") unless $query->rows; + $c->flash(error => "Old password was invalid") unless $query->rows; + } $c->res->redirect($c->uri_for('')); } -- 2.39.2