Fix issue where we checked cookie password-hash as a password

[niccofyren]

When improving password security we inadvertently broke the change event functionality built into AuthComponent, by checking pass key as a normal password input. Turns out this is actually the raw password hash, not a password string.

The updated version checks password hash from session against password hash from user model as before. Also changes changes names from pass and password too passwordHash to make things a bit more obvious.

A quick fix for this is live in the current app, but not in a persistent fashion. So suggest we merge this sooner rather than later 😅

[olemathias]

Looks like this fix breaks normal login. Reverted the line if(!$this->User->correctPassword($userGoingIn, $pass)) { in prod

[niccofyren]

Ok. Will keep looking into this this evening then

[niccofyren]

Think the bug has been fixed now. With the latest commit both regular login, and the "login" that happens during event change should work.

[mfyll]

Great stuff