0

I am migrating a site into the laravel framework, and the database for the old site stores user passwords as plaintext. Obviously that's an issue, so I used this code to hash the passwords. The client has also requested that users be able to login through their username, so I edited the default login controller to account for that. Creating a new account and logging into it works just fine, but trying to login to an existing account always returns invalid credentials.

I started with php artisan make:auth and have edited the generated files from there.

I have tried hashing the passwords in a migration, as well as in php artisan tinker. I have also tried using $user->password = Hash::make($user->password); rather than $user->password = bcrypt($user->password);, also in migration and tinker. I've gotten the same result each time while trying to log in.

If I use Hash::make in artisan tinker and then Hash::check against the created hash and the plaintext password, it returns true, but when I attempt to login with those credentials, it fails. bcrypt returns false for Hash::check in tinker. Using bcrypt returns true for Hash::needsRehash while Hash::make returns false.

Usernames are set as unique.

User model:

protected $primaryKey = 'user_id';

protected $fillable = [
    'username', 'password',
];

protected $guarded = [];

protected $hidden = [
    'password', 'remember_token',
];

public function getAuthPassword()
{
    return $this->password;
}

LoginController:

use AuthenticatesUsers;
protected $redirectTo = '/home';
public function __construct()
{
    $this->middleware('guest')->except('logout');
}
public function username()
{
    return 'username';
}

login.blade username/password form fields:

<div class="form-group row">
    <label for="username" class="col-md-4 col-form-label text-md-right">{{ __('Username') }}</label>
    <div class="col-md-6">
        <input id="username" type="text" class="form-control @error('username') is-invalid @enderror" name="username" value="{{ old('username') }}" required autofocus>
            @error('username')
            <span class="invalid-feedback" role="alert">
                <strong>{{ $message }}</strong>
            </span>
            @enderror
    </div>
</div>
<div class="form-group row">
    <label for="password" class="col-md-4 col-form-label text-md-right">{{ __('Password') }}</label>
    <div class="col-md-6">
        <input id="password" type="password" class="form-control @error('password') is-invalid @enderror" name="password" required autocomplete="current-password">
        @error('password')
        <span class="invalid-feedback" role="alert">
            <strong>{{ $message }}</strong>
        </span>
        @enderror
    </div>
</div>

I expect to be able to login to an existing account but when I attempt to (using a backup of the original database to check passwords), I receive a typical "These credentials do not match our records." error a user would receive from entering an incorrect password.

Improve this question
5
  • the problem is from your initial not hashing of the password! Commented Jun 10, 2019 at 16:03
  • I assure you it wasn't my decision to store the passwords as plaintext! This database is ooooold. Any insight into how to solve this? Commented Jun 10, 2019 at 16:05
  • And by old I mean over a decade old. I'm just the poor schmuck that has to make it work. Commented Jun 10, 2019 at 16:16
  • try this lets see if it works. get one of the plaintext password and bcrypt(password) it. then try to login with it. Commented Jun 10, 2019 at 16:17
  • I'd already tried that but in the process of looking at it again, I figured out my problem! At some point, my password field in the database got changed to a length of 20 so the full password hash wasn't getting saved. Whoops! Commented Jun 10, 2019 at 16:31

1 Answer 1

Reset to default
1

I figured out my issue. At some point, my password field length got changed to 20, rather than 250. Obviously this was truncating the hash. Whoops! Figured it was something silly that I'd missed.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.