Jump to content

Re-check password via API


heldercervantes
 Share

Recommended Posts

Hi.

I'm working on a private area for a site and reached the change password feature. In the form I want to ask the user for the current password and the new one. Can't figure out how to check if the current password entered is the correct one. Since the stored password is hashed, I can't simply make a comparison.

How can this be done?

thanks,

HC

Link to comment
Share on other sites

@heldercervantes -

i'm using Ryan's example profile editor for logged in users to change their password; that works great, it's based on Formbuilder, and uses hooks to process the profile change.

https://processwire.com/talk/topic/9574-edit-user-profile-frontend/?p=92143

If you are looking for forgot password, this might help:

https://processwire.com/talk/topic/1319-forgot-password-on-front-end/?p=96363

Link to comment
Share on other sites

Haven't tested it (wrote it in the browser). But something alike should do the job. Maybe add some extra sanitizing on the old and new pass too.

Inside a template:

if (!$user->isLoggedin()) throw new Wire404Exception();
if (!$sanitizer->name($input->post->submit)) throw new Wire404Exception();

$username = $user->name;
$old_pass = $input->post->old_pass;
$new_pass = $input->post->new_pass;

if ($username === 'guest') throw new Wire404Exception();

if (!empty($old_pass) && !empty($new_pass)) {

    $u = $users->get("name=$username");
    
    if ($u->id) {

        try {
            $u = $session->login($username, $old_pass);
        
            if ($u->id) {
            
                $u->setOutputFormatting(false);
                $u->pass = $new_pass;
                $u->save();
                $u->setOutputFormatting(true);
                
                $u = $session->login($username, $new_pass);
            }
        }
        catch (WireException $e) {
            // show some error messages:
            // $e->getMessage();
        }
    }
}

Inside a method:

if (!$this->user->isLoggedin()) return;
if (!$this->sanitizer->name($this->input->post->submit)) return;

$username = $this->user->name;
$old_pass = $this->input->post->old_pass;
$new_pass = $this->input->post->new_pass;

if ($username === 'guest') return;

if (!empty($old_pass) && !empty($new_pass)) {

    $u = $this->users->get("name=$username");
    
    if ($u->id) {

        try {
            $u = $this->session->login($username, $old_pass);
        
            if ($u->id) {
            
                $u->setOutputFormatting(false);
                $u->pass = $new_pass;
                $u->save();
                $u->setOutputFormatting(true);
                
                $u = $this->session->login($username, $new_pass);
            }
        }
        catch (WireException $e) {
            // show some error messages:
            // $e->getMessage();
        }
    }
}
  • Like 1
Link to comment
Share on other sites

Hi, I use/wrote this little chunk:

<?php

class ProfileChunk extends \nw\DataProviders\ChunkDataProvider {

  public function populate() {
    $input = wire('input');
    $user = wire('user');
    $sanitizer = wire('sanitizer');

    if (!$user->isLoggedin()) wire('session')->redirect('/');

    $user->of(false);

    // check if they submitted a password change
    $passOld = substr($input->post->pass_old, 0, 50);
    $passNew = $input->post->pass_new;
    $passConfirm = $input->post->pass_confirm;

    // all three inputs have to be filled
    if (!empty($passOld) && !empty($passNew) && !empty($passConfirm)) {
      // check old password
      if ($user->pass->matches($passOld)) {
        if (strlen($passOld) < 6) {
          $this->message = ".. at least 6 characters ..";
        } else if ($passNew != $passConfirm) {
          $this->message = '.. passwords do not match ..';
        } else {
          // everything is fine, save new password
          $user->pass = $passNew;
        }
      } else {
        $this->message = '.. the old password is incorrect ..';
      }
    }

    // check and save other fields

    $this->message = '.. successfully saved ..';

    $user->save();
    $user->of(true);
  }

}
  • Like 2
Link to comment
Share on other sites

  • 2 years later...

Martijn's simple couple of lines works great too - I used it to make sure users who are currently logged in and are changing their passwords on a front-end form weren't just re-entering the same password or using it as part of their new password (sticking a 1 on the end or something :) ).

 

  • Like 1
  • Thanks 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...