panique / huge

Simple user-authentication solution, embedded into a small framework.
2.14k stars 788 forks source link

Problem merge #897 #898

Closed cristopher closed 3 years ago

cristopher commented 3 years ago

The Problem

After the hash update, the function bin2hex(random_bytes(40)); generates a string of 80 characters, because the database field only accepts 40 characters, the value is truncated.

The user when requesting the password recovery, receives the email satisfactorily, but with the 80 character string.

localhost/login/verifypasswordreset/1/4d7b5b4cc077adae773ef4113a86b69d71ff6a002cab392d7deda38e5fc6728b90ff7b3e8997e95d

When the user clicks on the link, the platform compares the data received versus the data stored, they do not match and the system returns an error

"FEEDBACK_PASSWORD_RESET_COMBINATION_DOES_NOT_EXIST"

The problem also occurs when creating new accounts

localhost/register/verify/3/0cb0af07af231472b66598585a05a854355d70a7a8bbaeaf0c1ac0ab6df4d76dc7050e36899654bd

"FEEDBACK_ACCOUNT_ACTIVATION_FAILED"


https://www.writephponline.com

echo bin2hex(random_bytes(40));

== 80 CHAR

Solution

In order not to reduce the security offered by a long hash, the user_password_reset_hash AND user_activation_hash field is increased by 80 characters,

panique/huge product is a system that has finished shutting down, please check all functions before making updates.

A big hug

panique commented 3 years ago

Excellent find! Thank you so much Cristopher ;) big hugs back to you

zipus commented 2 years ago

After the hash update

Sorry @cristopher, can you clarify which is the hash update that were you refering to?