Coding standards
Security in ResourceSpace
Developer reference
Database
Action functions
Admin functions
Ajax functions
Annotation functions
API functions
Collections functions
Comment functions
Config functions
CSV export functions
Dash functions
Debug functions
Encryption functions
Facial recognition functions
File functions
General functions
Language functions
Log functions
Login functions
Message functions
Migration functions
Node functions
PDF functions
Plugin functions
Render functions
Reporting functions
Request functions
Research functions
Slideshow functions
Theme permission functions
User functions
Video functions
Database functions
Metadata functions
Resource functions
Search functions
Map functions
Job functions
Tab functions
Test functions

rs_password_verify()

Description

ResourceSpace verify password

value is the actual value for that variable.

Parameters

ColumnTypeDefaultDescription
$password string Password
$hash string Password hash
$data array Extra data required for matching hash expectations (e.g username, impersonate_user). Key is the variable name,

Return

boolean

Location

include/login_functions.php lines 327 to 376

Definition

 
function rs_password_verify(string $passwordstring $hash, array $data)
    {
    
// Prevent hashes being entered directly while still supporting direct entry of plain text passwords (for systems that 
    // were set up prior to MD5 password encryption was added). If a special key is sent, which is the MD5 hash of the 
    // username and the secret scramble key, then allow a login using the MD5 password hash as the password. This is for 
    // the 'log in as this user' feature.
    
$impersonate_user $data['impersonate_user'] ?? false;
    
$hash_info password_get_info($hash);
    
$pass_info password_get_info($password);
    
$is_like_v1_hash = (mb_strlen($password) === 32);
    
$is_like_v2_hash = (mb_strlen($password) === 64);
    
$is_v3_hash = ($hash_info['algo'] === $pass_info['algo'] && $hash_info['algoName'] !== 'unknown');
    if(!
$impersonate_user && ($is_v3_hash || $is_like_v2_hash || $is_like_v1_hash))
        {
        return 
false;
        }

    
$RS_madeup_pass "RS{$data['username']}{$password}";
    
$hash_v1 md5($RS_madeup_pass);
    
$hash_v2 hash('sha256'$hash_v1);

    
// Most common case: hash is at version 3 (ie. hash generated using password_hash from PHP)
    
if(password_verify(hash_hmac('sha256'$RS_madeup_pass$GLOBALS['scramble_key']), $hash))
        {
        return 
true;
        }
    elseif(
$hash_v2 === $hash)
        {
        return 
true;
        }
    elseif(
$hash_v1 === $hash)
        {
        return 
true;
        }
    
// Legacy: Plain text password - when passwords were not hashed at all (very old code - should really not be the 
    // case anymore) -or- when someone resets it manually in the database
    
elseif($password === $hash)
        {
        return 
true;
        }
    elseif(isset(
$GLOBALS["scramble_key_old"]) && $GLOBALS["migrating_scrambled"]
        && 
password_verify(hash_hmac('sha256'$RS_madeup_pass$GLOBALS['scramble_key_old']), $hash) )
        {
        
// Force user to change password if password_expiry is enabled
        
ps_query("UPDATE user SET password_last_change = '1970-01-01' WHERE username = ?", array("s",$data['username']));
        return 
true;
        }

    return 
false;
    }

This article was last updated 4th December 2024 08:35 Europe/London time based on the source file dated 25th November 2024 11:45 Europe/London time.