2

I am new in php and working on REST API in cakephp3 for my android application.

after setting up php and composer and routing I created login function..

public function login() {
    $this->request->allowMethod('post');
    $this->loadModel('Users');
    $entity = $this->Users->newEntity($this->request->data, ['validate' => 'LoginApi']);
    if ($entity->errors()) {
        $this->httpStatusCode = 400;
        $this->apiResponse['message'] = 'Validation failed.';
        foreach ($entity->errors() as $field => $validationMessage) {
            $this->apiResponse['error'][$field] = $validationMessage[key($validationMessage)];
        }
    } else {
        $hasher = new DefaultPasswordHasher();
        $password = $hasher->hash($entity->password);

        $user = $this->Users->find()
            ->where([
                'email' => $entity->email,
                'password' => $password
            ])
            ->first();
        if (empty($user)) {
            $this->httpStatusCode = 403;
            $this->apiResponse['error'] = 'Invalid email or password.';
            return;
        }
        $payload = ['email' => $user->email, 'name' => $user->name];
        $this->apiResponse['token'] = JwtToken::generateToken($payload);
        $this->apiResponse['message'] = 'Logged in successfully.';
        isset($user);
        isset($payload);
    }
 }

I use 123456 for password and this hasher returns random string every time, but the password which is already saved in database for 123456 is $2y$10$f7K02jamD7ZeGHLcTkP6Weh6VsthMWHiwqHJmcqbsxuLCKGCQCGCu this.

that is why it gives Invalid password in response.

My question is how to match the exact same string or hashing for request. thanks in advance.

Cruiser Raga S
  • 100
  • 8

3 Answers3

1

With reference to this answer

Use this line

password_verify($entity->password, $user->password)

instead of this

$hasher = new DefaultPasswordHasher();
$password = $hasher->hash($entity->password);

you can try this function 

public function login()
{
    $this->request->allowMethod('post');
    $this->loadModel('Users');
    $entity = $this->Users->newEntity($this->request->data, ['validate' => 'LoginApi']);
    if ($entity->errors()) {
        $this->httpStatusCode = 400;
        $this->apiResponse['message'] = 'Validation failed.';
        foreach ($entity->errors() as $field => $validationMessage) {
            $this->apiResponse['error'][$field] = $validationMessage[key($validationMessage)];
        }
    } else {
        $user = $this->Users->find()->where(['email' => $entity->email])->first();
        if (count($user)) {
            if (password_verify($entity->password, $user->password)) {
                $payload = ['email' => $user->email, 'password' => $user->password];
                $this->apiResponse['token'] = JwtToken::generateToken($payload);
                unset($user->password);
                $this->apiResponse['response'] = array($user);
                unset($user);
                unset($payload);
            } else {
                $this->httpStatusCode = 403;
                $this->apiResponse['error'] = 'Incorrect password';
                return;
            }
        } else {
            $this->httpStatusCode = 403;
            $this->apiResponse['error'] = 'Email not found';
            return;
        }
    }
}
Anurag Shrivastava
  • 650
  • 7
  • 25
0

The general idea would be to hash according to a key you specify.

An advice would be to keep changing the key periodically. You will then need to dehash your save into the clear again using the old key then rehash on new.

I'm not sure if the option is available to you, so you might want to take it with a grain of salt.

Cheers

Rabih Melko
  • 68
  • 10
  • What do you mean by "dehash"? – Greg Schmidt May 18 '18 at 21:07
  • By dehash, I mean decrypt your hashed message. Bear in mind however that you cannot reverse a hash (it won't be a hashing function). For your need, you will have to use a cryptographic function with trapdoor – Rabih Melko May 21 '18 at 05:18
0

First of all, CakePHP ships with authentication functionality out of the box, and I'd strongly suggest that you make use of that instead of running your own, given that it sounds as if you're looking for deterministic algorithms, this can very easily backfire.

If you are using CakePHP 3.5+, look into the authentication middleware plugin (currently in RC phase), for earlier CakePHP versions, use the authentication component.

For the sake of completeness, if you were to do this manually, you'd first query the user by its unique identifier (in your case the email address), and then compare the password at PHP level, using the password hashers AbstractPasswordHasher::check() implementation:

$user = $this->Users
    ->find()
    ->where([
        'email' => $this->request->data('email')
    ])
    ->first();

if (!$user ||
    $hasher->check($this->request->data('password'), $user->password) !== true
) {
    // authentication failed
} else {
    // authentication succeeded
}
ndm
  • 59,784
  • 9
  • 71
  • 110