fix(authentication): Handle null or empty string password hash #36653
Conversation
This can happen when the auth.storeCryptedPassword config is used, which previously errored with: Hasher::verify(): Argument #2 ($hash) must be of type string, null given Signed-off-by: Joas Schilling <coding@schilljs.com>
nickvergessen
added
bug
3. to review
nickvergessen
requested review from
ArtificialOwl and
icewind1991
and removed request for
a team
| @@ -113,7 +113,7 @@ public function generateToken(string $token, | |||
| // We need to check against one old token to see if there is a password | |||
| // hash that we can reuse for detecting outdated passwords | |||
| $randomOldToken = $this->mapper->getFirstTokenForUser($uid); | |||
| $oldTokenMatches = $randomOldToken && $this->hasher->verify(sha1($password) . $password, $randomOldToken->getPasswordHash()); | |||
| $oldTokenMatches = $randomOldToken && $randomOldToken->getPasswordHash() && $this->hasher->verify(sha1($password) . $password, $randomOldToken->getPasswordHash()); | |||
There was a problem hiding this comment.
| $oldTokenMatches = $randomOldToken && $randomOldToken->getPasswordHash() && $this->hasher->verify(sha1($password) . $password, $randomOldToken->getPasswordHash()); | |
| $oldTokenMatches = $randomOldToken && ($pwHash = $randomOldToken->getPasswordHash()) && $this->hasher->verify(sha1($password) . $password, $pwHash); |
There was a problem hiding this comment.
We don't do inline assignments in Nextcloud, also it's a just replacign a local member call here, so not sure it's worth the possible confusion.
There was a problem hiding this comment.
The problem is not to avoid the local call, it’s that you cannot know that getPasswordHash will return the same thing twice, so checking it returns a non-falsy value and then calling it againg and using it as an object is dangerous.
I’m not sure how is the pretty way to write this, and I do dislike the inline assignment, I used it to show the smalest change possible to show the idea.
psalm will yell at you for doing this kind of stuff. Especially when most of the time we only know the interface used and not the class.
| $oldTokenMatches = $randomOldToken && $randomOldToken->getPasswordHash() && $this->hasher->verify(sha1($password) . $password, $randomOldToken->getPasswordHash()); | |
| if ($randomOldToken) { | |
| $pwHash = $randomOldToken->getPasswordHash(); | |
| $oldTokenMatches = $pwHash && $this->hasher->verify(sha1($password) . $password, $pwHash); | |
| } else { | |
| $oldTokenMatches = false; | |
| } |
Or if PHP>=8:
| $oldTokenMatches = $randomOldToken && $randomOldToken->getPasswordHash() && $this->hasher->verify(sha1($password) . $password, $randomOldToken->getPasswordHash()); | |
| $pwHash = $randomOldToken?->getPasswordHash(); | |
| $oldTokenMatches = $pwHash && $this->hasher->verify(sha1($password) . $password, $pwHash); |
There was a problem hiding this comment.
The problem is not to avoid the local call, it’s that you cannot know that getPasswordHash will return the same thing twice
We have code like this with all our "Entities" all the time? How could the existing object change in the meantime?
nickvergessen
deleted the
bugfix/noid/more-defensive-old-token-handling
branch
This can happen when the auth.storeCryptedPassword config is used, which previously errored with:
Hasher::verify(): Argument #2 ($hash) must be of type string, null given
As observed in https://drone.nextcloud.com/nextcloud/spreed/11732/1/4
Checklist