Skip to content

Commit

Permalink
Handle PHPs BCrypt hashes version
Browse files Browse the repository at this point in the history
  • Loading branch information
xendk committed Sep 25, 2024
1 parent 11bbc62 commit a273898
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 1 deletion.
3 changes: 3 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ and this project adheres to [Intended Effort Versioning](https://jacobtomlinson.

## 1.3.2 - [Unreleased]

### Fixed
- Handle PHPs old BCrypt version.

### Changed
- Invalid token creds results in 403 response, not an anonymous
response.
Expand Down
14 changes: 13 additions & 1 deletion src/controllers/legacy_entity_controller.cr
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,21 @@ class LegacyEntityController < Amber::Controller::Base
def index
token_user = nil : User?
if params[:token]?
token = params[:token].split("|")
# Timelord uses a version of bcrypt hash that's basically only
# used by PHP, so we "fix" it to the version Crystal BCrypt
# uses. This is hackery stuff, but using password hashes in auth
# was a bad move to start with, so we'll hack in compatibility
# until we get it fixed proper.
token = params[:token].gsub(/^\$2y\$/, "$2a$").split("|")
if token.size == 2
token_user = User.find_by(hashed_password: token[0], email: token[1])

unless token_user
# If we couldn't find a user by Crystal BCrypt hash, try
# again with PHP version, we have some migrated users with
# the old PHP version.
token_user = User.find_by(hashed_password: token[0].gsub(/^\$2a\$/, "$2y$"), email: token[1])
end
end

unless token_user
Expand Down

0 comments on commit a273898

Please sign in to comment.