Merge pull request #3970 from MrPetovan/task/3942-add-user-authenticate

Migrate password hashing Part 1: Add User::authenticate

mod/openid.php

@@ -33,7 +33,8 @@ function openid_content(App $a) {
 			//       mod/settings.php in 8367cad so it might have left mixed
 			//       records in the user table
 			//
-			$r = q("SELECT *, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey` FROM `user`
+			$r = q("SELECT *
+				FROM `user`
 				WHERE ( `openid` = '%s' OR `openid` = '%s' )
 				AND `blocked` = 0 AND `account_expired` = 0
 				AND `account_removed` = 0 AND `verified` = 1

mod/removeme.php

@@ -4,21 +4,21 @@ use Friendica\App;
 use Friendica\Core\System;
 use Friendica\Model\User;
 
-function removeme_post(App $a) {
-
-	if (! local_user()) {
+function removeme_post(App $a)
+{
+	if (!local_user()) {
 		return;
 	}
 
-	if (x($_SESSION,'submanage') && intval($_SESSION['submanage'])) {
+	if (x($_SESSION, 'submanage') && intval($_SESSION['submanage'])) {
 		return;
 	}
 
-	if ((! x($_POST,'qxz_password')) || (! strlen(trim($_POST['qxz_password'])))) {
+	if ((!x($_POST, 'qxz_password')) || (!strlen(trim($_POST['qxz_password'])))) {
 		return;
 	}
 
-	if ((! x($_POST,'verify')) || (! strlen(trim($_POST['verify'])))) {
+	if ((!x($_POST, 'verify')) || (!strlen(trim($_POST['verify'])))) {
 		return;
 	}
 
@@ -26,18 +26,15 @@ function removeme_post(App $a) {
 		return;
 	}
 
-	$encrypted = hash('whirlpool',trim($_POST['qxz_password']));
-
-	if ((strlen($a->user['password'])) && ($encrypted === $a->user['password'])) {
+	if (User::authenticate($a->user['uid'], trim($_POST['qxz_password']))) {
 		User::remove($a->user['uid']);
 		// NOTREACHED
 	}
-
 }
 
-function removeme_content(App $a) {
-
-	if (! local_user()) {
+function removeme_content(App $a)
+{
+	if (!local_user()) {
 		goaway(System::baseUrl());
 	}
 
@@ -59,5 +56,4 @@ function removeme_content(App $a) {
 	));
 
 	return $o;
-
 }

mod/settings.php

@@ -9,6 +9,7 @@ use Friendica\Core\Config;
 use Friendica\Core\PConfig;
 use Friendica\Database\DBM;
 use Friendica\Model\GlobalContact;
+use Friendica\Model\User;
 
 require_once 'include/group.php';
 
@@ -371,7 +372,6 @@ function settings_post(App $a) {
 
 		$newpass = $_POST['password'];
 		$confirm = $_POST['confirm'];
-		$oldpass = hash('whirlpool', $_POST['opassword']);
 
 		$err = false;
 		if ($newpass != $confirm) {
@@ -386,8 +386,7 @@ function settings_post(App $a) {
 
         //  check if the old password was supplied correctly before
         //  changing it to the new value
-        $r = q("SELECT `password` FROM `user`WHERE `uid` = %d LIMIT 1", intval(local_user()));
-        if ($oldpass != $r[0]['password']) {
+        if (User::authenticate(intval(local_user()), $_POST['opassword'])) {
             notice(t('Wrong password.') . EOL);
             $err = true;
         }
@@ -501,22 +500,20 @@ function settings_post(App $a) {
 	if ($email != $a->user['email']) {
 		$email_changed = true;
 		//  check for the correct password
-		$r = q("SELECT `password` FROM `user`WHERE `uid` = %d LIMIT 1", intval(local_user()));
-		$password = hash('whirlpool', $_POST['mpassword']);
-		if ($password != $r[0]['password']) {
+		if (!User::authenticate(intval(local_user()), $_POST['mpassword'])) {
 			$err .= t('Wrong Password') . EOL;
 			$email = $a->user['email'];
 		}
 		//  check the email is valid
 		if (!valid_email($email)) {
-			$err .= t(' Not valid email.');
+			$err .= t('Invalid email.');
 		}
 		//  ensure new email is not the admin mail
 		//if ((x($a->config, 'admin_email')) && (strcasecmp($email, $a->config['admin_email']) == 0)) {
 		if (x($a->config, 'admin_email')) {
 			$adminlist = explode(",", str_replace(" ", "", strtolower($a->config['admin_email'])));
 			if (in_array(strtolower($email), $adminlist)) {
-				$err .= t(' Cannot change to that email.');
+				$err .= t('Cannot change to that email.');
 				$email = $a->user['email'];
 			}
 		}