feat(auth): 🔐 passwords now bcrypt and seeder up… (#166)

Passwords now using bcrypt. Hashes compared on auth controller instead of using raw text.
Projecte-UrbanTree · Dec 4, 2024 · 2db7974 · 2db7974
2 parents 8d38632 + dc108d1
commit 2db7974
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 7 deletions.
diff --git a/app/src/app/Controllers/Auth/AuthController.php b/app/src/app/Controllers/Auth/AuthController.php
@@ -36,10 +36,9 @@ public function login($postData)
         }
 
         // Check if the user exists and password matches
-        $user = User::findBy(['email' => $email, 'password' => $password], true);
+        $user = User::findBy(['email' => $email], true);
 
-        // TODO: Verify hashed password not raw password
-        if (!$user || strcmp($user->password, $password) !== 0) {
+        if (!$user || !password_verify($password, $user->password)) {
             echo 'Invalid email or password.';
             // Redirect back with error if authentication fails
             Session::set('error', 'Invalid email or password.');

diff --git a/app/src/app/Views/Auth/Login.php b/app/src/app/Views/Auth/Login.php
@@ -22,7 +22,7 @@ class="mt-1 block w-full px-4 py-2 border border-gray-300 rounded-lg shadow-sm f
 
     <div>
         <label for="password" class="block text-sm font-medium text-gray-700">Password</label>
-        <input type="password" id="password" name="password" required value="hashedpassword3"
+        <input type="password" id="password" name="password" required value="demopass"
             class="mt-1 block w-full px-4 py-2 border border-gray-300 rounded-lg shadow-sm focus:outline-none focus:ring-blue-500 focus:border-blue-500 sm:text-sm"
             placeholder="••••••••">
     </div>

diff --git a/database/start-scripts/1-seed.sql b/database/start-scripts/1-seed.sql
@@ -1,8 +1,8 @@
 --* Users
 INSERT INTO users (company, name, surname, dni, password, email, role) VALUES
-('TechCorp', 'Carlos', 'García', '12345678A', 'hashedpassword1', '[email protected]', 1),
-('InnovaTech', 'Ana', 'Martínez', '23456789B', 'hashedpassword2', '[email protected]', 1),
-('DesignWorks', 'José', 'Rodríguez', '34567890C', 'hashedpassword3', '[email protected]', 2);
+('TechCorp', 'Carlos', 'García', '12345678A', '$2y$10$BvILqM2m0pJlHNzyugbIu.RqhLIKwKetsRCo3FQbpcOiVx2nHBc9m', '[email protected]', 1), -- Password: demopass
+('InnovaTech', 'Ana', 'Martínez', '23456789B', '$2y$10$BvILqM2m0pJlHNzyugbIu.RqhLIKwKetsRCo3FQbpcOiVx2nHBc9m', '[email protected]', 1), -- Password: demopass
+('DesignWorks', 'José', 'Rodríguez', '34567890C', '$2y$10$BvILqM2m0pJlHNzyugbIu.RqhLIKwKetsRCo3FQbpcOiVx2nHBc9m', '[email protected]', 2); -- Password: demopass
 
 --* Contracts
 INSERT INTO contracts (name, start_date, end_date, invoice_proposed, invoice_agreed, invoice_paid) VALUES