search

benedmunds / CodeIgniter-Ion-Auth

Simple and Lightweight Auth System for CodeIgniter
http://benedmunds.com/ion_auth/
MIT License
2.34k stars 1.14k forks source link

Password silently erased from database if password_hash fails #1491

Closed jamieburchell closed 3 years ago

jamieburchell commented 3 years ago

Which branch are you using? 3

What commit hash are you on? 14a9bb1

What CodeIgniter version are you using? v3

What PHP version are you using? 7.4

Describe the bug The password is erased from the database if password_hash is unable to hash the password, say for example, because of an error:

password_hash(): A thread value other than 1 is not supported by this implementation /var/www/vhosts/example.com/application/models/Ion_auth_model.php 304

It seems in certain circumstance the password_hash function may return NULL instead of FALSE, this being one such case.

https://bugs.php.net/bug.php?id=77218

To Reproduce In my case, PHP 7.4 with sodium libs caused the password_hash to fail with a thread count of 2 when using argon2 and logging in with an existing bcrypt password, but I'm guessing any time password_hash fails with NULL this will happen.

Expected behaviour This should probably be a fatal error. At the very least, it shouldn't wipe out an existing password.

jamieburchell commented 3 years ago

I think this one could be solved by checking for NULL or FALSE from this return call as apparently it could be either.

benedmunds commented 3 years ago

Thanks for investigating this.

I just committed a fix for this here: 98cbf388efe8898bc0ec25c4c99b5711e9d283e7

This should be backwards compatible as well.

Let me know if this resolves the issue for you.