Level 104
Are you double hashing the password?
1 like
Aug 28, 2024
11
Level 17
Laravel 9 invalid cred
I have an old Laravel 9 project that now gives invalid credentials suddenly the user is in the db I see it
I did not change anything
<?php
return [
/*
|--------------------------------------------------------------------------
| Authentication Defaults
|--------------------------------------------------------------------------
|
| This option controls the default authentication "guard" and password
| reset options for your application. You may change these defaults
| as required, but they're a perfect start for most applications.
|
*/
'defaults' => [
'guard' => 'web',
'passwords' => 'users',
],
/*
|--------------------------------------------------------------------------
| Authentication Guards
|--------------------------------------------------------------------------
|
| Next, you may define every authentication guard for your application.
| Of course, a great default configuration has been defined for you
| here which uses session storage and the Eloquent user provider.
|
| All authentication drivers have a user provider. This defines how the
| users are actually retrieved out of your database or other storage
| mechanisms used by this application to persist your user's data.
|
| Supported: "session"
|
*/
'guards' => [
'web' => [
'driver' => 'session',
'provider' => 'users',
],
],
/*
|--------------------------------------------------------------------------
| User Providers
|--------------------------------------------------------------------------
|
| All authentication drivers have a user provider. This defines how the
| users are actually retrieved out of your database or other storage
| mechanisms used by this application to persist your user's data.
|
| If you have multiple user tables or models you may configure multiple
| sources which represent each model / table. These sources may then
| be assigned to any extra authentication guards you have defined.
|
| Supported: "database", "eloquent"
|
*/
'providers' => [
'users' => [
'driver' => 'eloquent',
'model' => App\Models\User::class,
],
// 'users' => [
// 'driver' => 'database',
// 'table' => 'users',
// ],
],
/*
|--------------------------------------------------------------------------
| Resetting Passwords
|--------------------------------------------------------------------------
|
| You may specify multiple password reset configurations if you have more
| than one user table or model in the application and you want to have
| separate password reset settings based on the specific user types.
|
| The expire time is the number of minutes that each reset token will be
| considered valid. This security feature keeps tokens short-lived so
| they have less time to be guessed. You may change this as needed.
|
*/
'passwords' => [
'users' => [
'provider' => 'users',
'table' => 'password_resets',
'expire' => 60,
'throttle' => 60,
],
],
/*
|--------------------------------------------------------------------------
| Password Confirmation Timeout
|--------------------------------------------------------------------------
|
| Here you may define the amount of seconds before a password confirmation
| times out and the user is prompted to re-enter their password via the
| confirmation screen. By default, the timeout lasts for three hours.
|
*/
'password_timeout' => 10800,
];
<?php
return [
/*
|--------------------------------------------------------------------------
| Default Hash Driver
|--------------------------------------------------------------------------
|
| This option controls the default hash driver that will be used to hash
| passwords for your application. By default, the bcrypt algorithm is
| used; however, you remain free to modify this option if you wish.
|
| Supported: "bcrypt", "argon", "argon2id"
|
*/
'driver' => 'bcrypt',
/*
|--------------------------------------------------------------------------
| Bcrypt Options
|--------------------------------------------------------------------------
|
| Here you may specify the configuration options that should be used when
| passwords are hashed using the Bcrypt algorithm. This will allow you
| to control the amount of time it takes to hash the given password.
|
*/
'bcrypt' => [
'rounds' => env('BCRYPT_ROUNDS', 10),
],
/*
|--------------------------------------------------------------------------
| Argon Options
|--------------------------------------------------------------------------
|
| Here you may specify the configuration options that should be used when
| passwords are hashed using the Argon algorithm. These will allow you
| to control the amount of time it takes to hash the given password.
|
*/
'argon' => [
'memory' => 65536,
'threads' => 1,
'time' => 4,
],
];
seeder
class DatabaseSeeder extends Seeder
{
/**
* Seed the application's database.
*
* @return void
*/
public function run()
{
// \App\Models\User::factory(10)->create();
$userAdmin = User::factory()->create([
'name' => 'Mr Fantastic',
'username' => 'admin',
'password' => Hash::make(env('USER_PASS')),
]);
$roleAdmin = Role::create([
'name' => 'admin',
]);
$userAdmin->roles()->save($roleAdmin);
$userAdmin->save();
$userRegular = User::factory()->create([
'name' => 'test user',
'username' => 'test',
'password' => Hash::make(env('USER_PASS')),
]);
$roleUser =Role::create([
'name' => 'user',
]);
$userRegular->roles()->save($roleUser);
$userRegular->save();
Warehouse::create([
'name' => 'test warehouse',
]);
Warehouse::create([
'name' => 'test warehouse 2',
]);
}
}
what could be wrong
the password hash does not match
I am using username instead of email
I tested it in tinker
and it resulted true!!
php artisan tinker
Psy Shell v0.11.10 (PHP 8.2.22 — cli) by Justin Hileman
> $user = App\Models\User::where('username', 'admin')->first();
= App\Models\User {#4091
id: 1,
created_by: null,
name: "Mr Fantastic",
username: "admin",
#password: "$2y$10********************************",
#remember_token: "********",
created_at: "2024-08-28 20:15:09",
updated_at: "2024-08-28 20:15:09",
}
> Hash::check('e********', $user->password);
= false
where if I did
>
> Hash::check(env('USER_PASS'), $user->password);
DEPRECATED password_verify(): Passing null to parameter #1 ($password) of type string is deprecated in vendor/laravel/framework/src/Illuminate/Hashing/AbstractHasher.php on line 32.
= true
Laravel authenticate func
public function authenticate()
{
$this->ensureIsNotRateLimited();
if (! Auth::attempt($this->only('username', 'password'), $this->boolean('remember'))) {
RateLimiter::hit($this->throttleKey());
throw ValidationException::withMessages([
'username' => trans('auth.failed'),
]);
}
RateLimiter::clear($this->throttleKey());
}
I also cleared all caches
php artisan --version
Laravel Framework 9.46.0
Level 17
@tykus how? where? I did not not change anything May I did some mistake which I do not think so but tell me where to check.
Level 17
@tykus i have did some updates and composer autoload to remove the error above
> Hash::check('e********', $user->password);
= false
now there is no errors but the hashing logic seems has some issue
Level 17
@tykus where if I did
> Hash::check(env('USER_PASS'), $user->password);
DEPRECATED password_verify(): Passing null to parameter #1 ($password) of type string is deprecated in vendor/laravel/framework/src/Illuminate/Hashing/AbstractHasher.php on line 32.
= true <=============|||||||||||||||||||||||||=====
So it is true if coming from env while not from plain text from browser request !!
Level 17
@tykus Now i see the password is null
so env func not working properly
> Hash::check(null, $user->password);
DEPRECATED password_verify(): Passing null to parameter #1 ($password) of type string is deprecated in vendor/laravel/framework/src/Illuminate/Hashing/AbstractHasher.php on line 32.
= true
Level 50
You're passing Hash::make(env('USER_PASS')) as the user's password in the seeder. If the user model has automatic hashing via casting, then that password gets hashed twice. This is what @tykus was talking about.
Check if you user model has something like this:
protected $casts = [
...
'password' => 'hashed',
...
];
// Or:
protected function casts(): array {
return [
...
'password' => 'hashed',
...
];
}
If it does, you don't need to hash the password beforehand.
1 like
Level 17
@JussiMannisto I do not have these 'password' => 'hashed',
i removed the env func and add the password hard coded and it works
Level 50
@lifesound So... you didn't have a USER_PASS entry in your .env file, did you?
1 like
Level 17
@JussiMannisto I have it
it is in front of me in .env file
I have another env file called env.example but I do not think it is related to do anything
Level 50
@lifesound Well it's null when you're trying to access it with env('USER_PASS'). The error message you posted shows this:
> Hash::check(env('USER_PASS'), $user->password);
DEPRECATED password_verify(): Passing null to parameter #1 ($password) of type string is deprecated in (...)
1 like
Level 17
@JussiMannisto yes there is something weird
although it connects to db from this .env file and it works for these env variables
1 like
Please or to participate in this conversation.