Casting to hash or Hash Facade?

I was just looking through a newly installed Laravel project and I wanted to remove all the password hashing from PasswordController, RegisteredUserController and NewPasswordController to test something but I noticed the password was still being hashed in the DB.

I realised that in the User model it is already casting the password field to a hashed type. Sure enough, commenting this, I get a plain text password in the DB.

My (probably stupid) question is, why doesn't this cause a double-hashing of the password if it's casting to a hash AND the controllers are also hashing or does the casting recognise it's already hashed?

And if I'm casting password to a hash in the User model why would I need to hash it in controllers at all?

Amaury

1 year ago

Best Answer

Level 43

@bwrigley Hi. If you use the hashed casting attribute, you don’t need to hash the value before.

As you can see in the Illuminate\Database\Eloquent\Concerns\HasAttributes trait, there is a test to check if the value is already hashed to prevent double-hashing:

    /**
     * Cast the given attribute to a hashed string.
     *
     * @param  string  $key
     * @param  mixed  $value
     * @return string
     */
    protected function castAttributeAsHashedString($key, $value)
    {
        if ($value === null) {
            return null;
        }

        if (! Hash::isHashed($value)) {
            return Hash::make($value);
        }

        if (! Hash::verifyConfiguration($value)) {
            throw new RuntimeException("Could not verify the hashed value's configuration.");
        }

        return $value;
    }

1 like

bwrigley

1 year ago

Level 5

@Amaury ah brilliant, that's what I suspected must be happening somewhere. Thank you for solving the mystery for me!

Please or to participate in this conversation.