]>
Commit | Line | Data |
---|---|---|
d9169157 J |
1 | <?php |
2 | ||
3 | namespace Wallabag\CoreBundle\Security\Authentication\Encoder; | |
4 | ||
5 | use Symfony\Component\Security\Core\Encoder\BasePasswordEncoder; | |
6 | use Symfony\Component\Security\Core\Exception\BadCredentialsException; | |
7 | ||
8 | /** | |
9 | * This override just add en extra variable (username) to be able to salt the password | |
4346a860 | 10 | * the way Wallabag v1 does. It will avoid to break compatibility with Wallabag v1. |
d9169157 J |
11 | */ |
12 | class WallabagPasswordEncoder extends BasePasswordEncoder | |
13 | { | |
14 | private $algorithm; | |
15 | private $encodeHashAsBase64; | |
16 | private $iterations; | |
17 | private $username = null; | |
18 | ||
19 | /** | |
20 | * Constructor. | |
21 | * | |
22 | * @param string $algorithm The digest algorithm to use | |
23 | * @param bool $encodeHashAsBase64 Whether to base64 encode the password hash | |
24 | * @param int $iterations The number of iterations to use to stretch the password hash | |
25 | */ | |
26 | public function __construct($algorithm = 'sha512', $encodeHashAsBase64 = true, $iterations = 5000) | |
27 | { | |
28 | $this->algorithm = $algorithm; | |
29 | $this->encodeHashAsBase64 = $encodeHashAsBase64; | |
30 | $this->iterations = $iterations; | |
31 | } | |
32 | ||
33 | public function setUsername($username) | |
34 | { | |
35 | $this->username = $username; | |
36 | } | |
37 | ||
38 | /** | |
39 | * {@inheritdoc} | |
40 | */ | |
41 | public function encodePassword($raw, $salt) | |
42 | { | |
d9169157 J |
43 | if ($this->isPasswordTooLong($raw)) { |
44 | throw new BadCredentialsException('Invalid password.'); | |
45 | } | |
46 | ||
47 | if (!in_array($this->algorithm, hash_algos(), true)) { | |
48 | throw new \LogicException(sprintf('The algorithm "%s" is not supported.', $this->algorithm)); | |
49 | } | |
50 | ||
51 | $salted = $this->mergePasswordAndSalt($raw, $salt); | |
52 | $digest = hash($this->algorithm, $salted, true); | |
53 | ||
54 | // "stretch" hash | |
55 | for ($i = 1; $i < $this->iterations; $i++) { | |
56 | $digest = hash($this->algorithm, $digest.$salted, true); | |
57 | } | |
58 | ||
59 | return $this->encodeHashAsBase64 ? base64_encode($digest) : bin2hex($digest); | |
60 | } | |
61 | ||
62 | /** | |
63 | * {@inheritdoc} | |
64 | * | |
65 | * We inject the username inside the salted password | |
66 | */ | |
67 | protected function mergePasswordAndSalt($password, $salt) | |
68 | { | |
d9085c63 J |
69 | if (null === $this->username) { |
70 | throw new \LogicException('We can not check the password without a username.'); | |
71 | } | |
72 | ||
d9169157 J |
73 | if (empty($salt)) { |
74 | return $password; | |
75 | } | |
76 | ||
77 | return $password.$this->username.$salt; | |
78 | } | |
79 | ||
80 | /** | |
81 | * {@inheritdoc} | |
82 | */ | |
83 | public function isPasswordValid($encoded, $raw, $salt) | |
84 | { | |
85 | return !$this->isPasswordTooLong($raw) && $this->comparePasswords($encoded, $this->encodePassword($raw, $salt)); | |
86 | } | |
87 | } |