From c7566ed1e45ac28ebcf4e09e4a6412619fa98d96 Mon Sep 17 00:00:00 2001
From: Ism1tha <xgalan@hotmail.com>
Date: Tue, 3 Dec 2024 17:37:39 +0100
Subject: [PATCH] feat(auth): :closed_lock_with_key: passwords now bcrypt and
 seeder updated with hashed password fields

---
 database/start-scripts/1-seed.sql           | 6 +++---
 src/app/Controllers/Auth/AuthController.php | 5 ++---
 src/app/Views/Auth/Login.php                | 2 +-
 3 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/database/start-scripts/1-seed.sql b/database/start-scripts/1-seed.sql
index 03767559..22ccdcf6 100644
--- a/database/start-scripts/1-seed.sql
+++ b/database/start-scripts/1-seed.sql
@@ -1,8 +1,8 @@
 --* Users, contracts and machines
 INSERT INTO users (company, name, surname, dni, password, email, role) VALUES
-('TechCorp', 'Carlos', 'García', '12345678A', 'hashedpassword1', 'carlos.garcia@example.com', 1),
-('InnovaTech', 'Ana', 'Martínez', '23456789B', 'hashedpassword2', 'ana.martinez@example.com', 1),
-('DesignWorks', 'José', 'Rodríguez', '34567890C', 'hashedpassword3', 'jose.rodriguez@example.com', 2);
+('TechCorp', 'Carlos', 'García', '12345678A', '$2y$10$BvILqM2m0pJlHNzyugbIu.RqhLIKwKetsRCo3FQbpcOiVx2nHBc9m', 'carlos.garcia@example.com', 1), -- Password: demopass
+('InnovaTech', 'Ana', 'Martínez', '23456789B', '$2y$10$BvILqM2m0pJlHNzyugbIu.RqhLIKwKetsRCo3FQbpcOiVx2nHBc9m', 'ana.martinez@example.com', 1), -- Password: demopass
+('DesignWorks', 'José', 'Rodríguez', '34567890C', '$2y$10$BvILqM2m0pJlHNzyugbIu.RqhLIKwKetsRCo3FQbpcOiVx2nHBc9m', 'jose.rodriguez@example.com', 2); -- Password: demopass
 INSERT INTO contracts (name, start_date, end_date, invoice_proposed, invoice_agreed, invoice_paid) VALUES
 ('Ayuntamiento de Valencia', '2021-01-01', '2021-12-31', 1000.00, 900.00, 900.00),
 ('Administración General del Estado', '2021-01-01', '2021-12-31', 2000.00, 1800.00, 1800.00),
diff --git a/src/app/Controllers/Auth/AuthController.php b/src/app/Controllers/Auth/AuthController.php
index c14347bb..603a0a49 100644
--- a/src/app/Controllers/Auth/AuthController.php
+++ b/src/app/Controllers/Auth/AuthController.php
@@ -36,10 +36,9 @@ public function login($postData)
         }
 
         // Check if the user exists and password matches
-        $user = User::findBy(['email' => $email, 'password' => $password], true);
+        $user = User::findBy(['email' => $email], true);
 
-        // TODO: Verify hashed password not raw password
-        if (!$user || strcmp($user->password, $password) !== 0) {
+        if (!$user || !password_verify($password, $user->password)) {
             echo 'Invalid email or password.';
             // Redirect back with error if authentication fails
             Session::set('error', 'Invalid email or password.');
diff --git a/src/app/Views/Auth/Login.php b/src/app/Views/Auth/Login.php
index 1a4605ec..8f905d18 100644
--- a/src/app/Views/Auth/Login.php
+++ b/src/app/Views/Auth/Login.php
@@ -22,7 +22,7 @@ class="mt-1 block w-full px-4 py-2 border border-gray-300 rounded-lg shadow-sm f
 
     <div>
         <label for="password" class="block text-sm font-medium text-gray-700">Password</label>
-        <input type="password" id="password" name="password" required value="hashedpassword3"
+        <input type="password" id="password" name="password" required value="demopass"
             class="mt-1 block w-full px-4 py-2 border border-gray-300 rounded-lg shadow-sm focus:outline-none focus:ring-blue-500 focus:border-blue-500 sm:text-sm"
             placeholder="••••••••">
     </div>