summaryrefslogtreecommitdiff
path: root/lib/VNDB/Handler/Users.pm
diff options
context:
space:
mode:
authorYorhel <git@yorhel.nl>2014-10-15 12:34:40 +0200
committerYorhel <git@yorhel.nl>2014-10-15 12:34:40 +0200
commit2640d51d745bdbd85bf52f92aa4ed46253ccf99d (patch)
tree8536f89531cd6bb8e12fcd1f68dd16b530b491f4 /lib/VNDB/Handler/Users.pm
parenta1b4da1d3ae9e6ed9326df41f9831be81f6b839a (diff)
SQL: Merge users.(passwd|salt) in one column + document values
It doesn't make a whole lot to separate the hashed password and the salt from each other, you need both to do anything with them, and from the database perspective they're both completely opaque strings only usable for direct comparison with other hashed strings. This change is mostly as preparation for switching to a proper key derivation function (sha256 isn't...) and to add support for longer and/or binary salt. Because the passwd field now needs to be interpreted in Perl, it's being passed around as a binary string rather than a hex-encoded value. API login is broken in this commit. I'll get to that.
Diffstat (limited to 'lib/VNDB/Handler/Users.pm')
-rw-r--r--lib/VNDB/Handler/Users.pm14
1 files changed, 8 insertions, 6 deletions
diff --git a/lib/VNDB/Handler/Users.pm b/lib/VNDB/Handler/Users.pm
index 271561af..bcf94fb4 100644
--- a/lib/VNDB/Handler/Users.pm
+++ b/lib/VNDB/Handler/Users.pm
@@ -208,8 +208,9 @@ sub newpass {
if(!$frm->{_err}) {
my %o;
my $token;
- ($token, $o{passwd}, $o{salt}) = $self->authPrepareReset();
+ ($token, $o{passwd}) = $self->authPrepareReset();
$self->dbUserEdit($u->{id}, %o);
+ #warn "$self->{url}/u$u->{id}/setpass?t=$token";
$self->mail(mt('_newpass_mail_body', $u->{username}, "$self->{url}/u$u->{id}/setpass?t=$token"),
To => $frm->{mail},
From => 'VNDB <noreply@vndb.org>',
@@ -254,7 +255,7 @@ sub setpass {
$t = $t->{t};
my $u = $self->dbUserGet(uid => $uid, what => 'extended')->[0];
- return $self->resNotFound if !$u || !$self->authValidateReset($u, $t);
+ return $self->resNotFound if !$u || !$self->authValidateReset($u->{passwd}, $t);
my $frm;
if($self->reqMethod eq 'POST') {
@@ -267,7 +268,7 @@ sub setpass {
if(!$frm->{_err}) {
my %o = (email_confirmed => 1);
- ($o{passwd}, $o{salt}) = $self->authPreparePass($frm->{usrpass});
+ $o{passwd} = $self->authPreparePass($frm->{usrpass});
$self->dbUserEdit($uid, %o);
return $self->authLogin($u->{username}, $frm->{usrpass}, "/u$uid");
}
@@ -307,8 +308,9 @@ sub register {
push @{$frm->{_err}}, 'oneaday' if !$frm->{_err} && $self->dbUserGet(ip => $ip =~ /:/ ? "$ip/48" : $ip, registered => time-24*3600)->[0]{id};
if(!$frm->{_err}) {
- my($token, $pass, $salt) = $self->authPrepareReset();
- my $uid = $self->dbUserAdd($frm->{usrname}, $pass, $salt, $frm->{mail});
+ my($token, $pass) = $self->authPrepareReset();
+ my $uid = $self->dbUserAdd($frm->{usrname}, $pass, $frm->{mail});
+ warn "$self->{url}/u$uid/setpass?t=$token";
$self->mail(mt('_register_mail_body', $frm->{usrname}, "$self->{url}/u$uid/setpass?t=$token"),
To => $frm->{mail},
From => 'VNDB <noreply@vndb.org>',
@@ -388,7 +390,7 @@ sub edit {
$o{perm} |= $self->{permissions}{$_} for(@{ delete $frm->{perms} });
}
$o{mail} = $frm->{mail};
- ($o{passwd}, $o{salt}) = $self->authPreparePass($frm->{usrpass}) if $frm->{usrpass};
+ $o{passwd} = $self->authPreparePass($frm->{usrpass}) if $frm->{usrpass};
$o{ign_votes} = $frm->{ign_votes} ? 1 : 0 if $self->authCan('usermod');
$self->dbUserEdit($uid, %o);
$self->dbSessionDel($uid) if $frm->{usrpass};