Re-check password via API

[heldercervantes]

Hi.

I'm working on a private area for a site and reached the change password feature. In the form I want to ask the user for the current password and the new one. Can't figure out how to check if the current password entered is the correct one. Since the stored password is hashed, I can't simply make a comparison.

How can this be done?

thanks,

HC

[Macrura]

@heldercervantes -

i'm using Ryan's example profile editor for logged in users to change their password; that works great, it's based on Formbuilder, and uses hooks to process the profile change.

https://processwire.com/talk/topic/9574-edit-user-profile-frontend/?p=92143

If you are looking for forgot password, this might help:

https://processwire.com/talk/topic/1319-forgot-password-on-front-end/?p=96363

[Raymond Geerts]

Haven't tested it (wrote it in the browser). But something alike should do the job. Maybe add some extra sanitizing on the old and new pass too.

Inside a template:

if (!$user->isLoggedin()) throw new Wire404Exception();
if (!$sanitizer->name($input->post->submit)) throw new Wire404Exception();

$username = $user->name;
$old_pass = $input->post->old_pass;
$new_pass = $input->post->new_pass;

if ($username === 'guest') throw new Wire404Exception();

if (!empty($old_pass) && !empty($new_pass)) {

    $u = $users->get("name=$username");
    
    if ($u->id) {

        try {
            $u = $session->login($username, $old_pass);
        
            if ($u->id) {
            
                $u->setOutputFormatting(false);
                $u->pass = $new_pass;
                $u->save();
                $u->setOutputFormatting(true);
                
                $u = $session->login($username, $new_pass);
            }
        }
        catch (WireException $e) {
            // show some error messages:
            // $e->getMessage();
        }
    }
}

Inside a method:

if (!$this->user->isLoggedin()) return;
if (!$this->sanitizer->name($this->input->post->submit)) return;

$username = $this->user->name;
$old_pass = $this->input->post->old_pass;
$new_pass = $this->input->post->new_pass;

if ($username === 'guest') return;

if (!empty($old_pass) && !empty($new_pass)) {

    $u = $this->users->get("name=$username");
    
    if ($u->id) {

        try {
            $u = $this->session->login($username, $old_pass);
        
            if ($u->id) {
            
                $u->setOutputFormatting(false);
                $u->pass = $new_pass;
                $u->save();
                $u->setOutputFormatting(true);
                
                $u = $this->session->login($username, $new_pass);
            }
        }
        catch (WireException $e) {
            // show some error messages:
            // $e->getMessage();
        }
    }
}

[Martijn Geerts]

Think you can use 

// authenticate returns true or false
// ps: User is a user object
if ($session->authenticate($user, $pass)) {
    echo 'yep password is the same';
}

[justb3a]

Hi, I use/wrote this little chunk:

<?php

class ProfileChunk extends \nw\DataProviders\ChunkDataProvider {

  public function populate() {
    $input = wire('input');
    $user = wire('user');
    $sanitizer = wire('sanitizer');

    if (!$user->isLoggedin()) wire('session')->redirect('/');

    $user->of(false);

    // check if they submitted a password change
    $passOld = substr($input->post->pass_old, 0, 50);
    $passNew = $input->post->pass_new;
    $passConfirm = $input->post->pass_confirm;

    // all three inputs have to be filled
    if (!empty($passOld) && !empty($passNew) && !empty($passConfirm)) {
      // check old password
      if ($user->pass->matches($passOld)) {
        if (strlen($passOld) < 6) {
          $this->message = ".. at least 6 characters ..";
        } else if ($passNew != $passConfirm) {
          $this->message = '.. passwords do not match ..';
        } else {
          // everything is fine, save new password
          $user->pass = $passNew;
        }
      } else {
        $this->message = '.. the old password is incorrect ..';
      }
    }

    // check and save other fields

    $this->message = '.. successfully saved ..';

    $user->save();
    $user->of(true);
  }

}

[heldercervantes]

Thanks guys. Never crossed my mind that, already being logged in, I could fire $session->login again and check the result.

Newbie mistake

[Pete]

Martijn's simple couple of lines works great too - I used it to make sure users who are currently logged in and are changing their passwords on a front-end form weren't just re-entering the same password or using it as part of their new password (sticking a 1 on the end or something ).