Collections functions
General functions
Render functions
Theme permission functions
Resource functions

rs_password_verify()

Description

ResourceSpace verify password

value is the actual value for that variable.

Parameters

ColumnTypeDefaultDescription
$password string Password
$hash string Password hash
$data array Extra data required for matching hash expectations (e.g username, impersonate_user). Key is the variable name,

Return

boolean

Location

include/login_functions.php lines 324 to 366

Definition

 
function rs_password_verify(string $passwordstring $hash, array $data)
    {
    
// Prevent hashes being entered directly while still supporting direct entry of plain text passwords (for systems that 
    // were set up prior to MD5 password encryption was added). If a special key is sent, which is the MD5 hash of the 
    // username and the secret scramble key, then allow a login using the MD5 password hash as the password. This is for 
    // the 'log in as this user' feature.
    
$impersonate_user $data['impersonate_user'] ?? false;
    
$hash_info password_get_info($hash);
    
$pass_info password_get_info($password);
    
$is_like_v1_hash = (mb_strlen($password) === 32);
    
$is_like_v2_hash = (mb_strlen($password) === 64);
    
$is_v3_hash = ($hash_info['algo'] === $pass_info['algo'] && $hash_info['algoName'] !== 'unknown');
    if(!
$impersonate_user && ($is_v3_hash || $is_like_v2_hash || $is_like_v1_hash))
        {
        return 
false;
        }

    
$RS_madeup_pass "RS{$data['username']}{$password}";
    
$hash_v1 md5($RS_madeup_pass);
    
$hash_v2 hash('sha256'$hash_v1);

    
// Most common case: hash is at version 3 (ie. hash generated using password_hash from PHP)
    
if(password_verify(hash_hmac('sha256'$RS_madeup_pass$GLOBALS['scramble_key']), $hash))
        {
        return 
true;
        }
    else if(
$hash_v2 === $hash)
        {
        return 
true;
        }
    else if(
$hash_v1 === $hash)
        {
        return 
true;
        }
    
// Legacy: Plain text password - when passwords were not hashed at all (very old code - should really not be the 
    // case anymore) -or- when someone resets it manually in the database
    
else if($password === $hash)
        {
        return 
true;
        }

    return 
false;
    }

This article was last updated 26th September 2022 13:05 Europe/London time based on the source file dated 1st July 2022 09:30 Europe/London time.