Closed niccofyren closed 4 years ago
Looks like this fix breaks normal login.
Reverted the line if(!$this->User->correctPassword($userGoingIn, $pass)) {
in prod
Ok. Will keep looking into this this evening then
Think the bug has been fixed now. With the latest commit both regular login, and the "login" that happens during event change should work.
Great stuff
When improving password security we inadvertently broke the change event functionality built into AuthComponent, by checking
pass
key as a normal password input. Turns out this is actually the raw password hash, not a password string.The updated version checks password hash from session against password hash from user model as before. Also changes changes names from
pass
andpassword
toopasswordHash
to make things a bit more obvious.A quick fix for this is live in the current app, but not in a persistent fashion. So suggest we merge this sooner rather than later 😅