Shift rehashing into SessionGuard

valorin · valorin · commit cce60ba604a0 · 2023-11-26T10:35:13.000+10:00
The Session guard's attempt() method is a better place to apply
rehashing than the validateCredentials() method on the provider.
The latter shouldn't have side-effects, as per it's name.
diff --git a/src/Illuminate/Auth/DatabaseUserProvider.php b/src/Illuminate/Auth/DatabaseUserProvider.php
@@ -3,6 +3,7 @@
 namespace Illuminate\Auth;
 
 use Closure;
+use Illuminate\Contracts\Auth\Authenticatable;
 use Illuminate\Contracts\Auth\Authenticatable as UserContract;
 use Illuminate\Contracts\Auth\UserProvider;
 use Illuminate\Contracts\Hashing\Hasher as HasherContract;
@@ -154,32 +155,26 @@ protected function getGenericUser($user)
      */
     public function validateCredentials(UserContract $user, array $credentials)
     {
-        if (is_null($plain = $credentials['password'])) {
-            return false;
-        }
-
-        if (! $this->hasher->check($plain, $hash = $user->getAuthPassword())) {
-            return false;
-        }
-
-        if ($this->hasher->needsRehash($hash)) {
-            $this->rehashUserPassword($user, $plain);
-        }
-
-        return true;
+        return $this->hasher->check(
+            $credentials['password'], $user->getAuthPassword()
+        );
     }
 
     /**
-     * Rehash the user's password.
+     * Rehash the user's password if required and supported.
      *
      * @param  \Illuminate\Contracts\Auth\Authenticatable  $user
-     * @param  string  $plain
-     * @return void
+     * @param  array  $credentials
+     * @return string|null
      */
-    public function rehashUserPassword(UserContract $user, string $plain): void
+    public function rehashPasswordIfRequired(Authenticatable $user, array $credentials)
     {
+        if (! $this->hasher->needsRehash($user->getAuthPassword())) {
+            return;
+        }
+
         $this->connection->table($this->table)
             ->where($user->getAuthIdentifierName(), $user->getAuthIdentifier())
-            ->update([$user->getAuthPasswordName() => $this->hasher->make($plain)]);
+            ->update([$user->getAuthPasswordName() => $this->hasher->make($credentials['password'])]);
     }
 }
diff --git a/src/Illuminate/Auth/EloquentUserProvider.php b/src/Illuminate/Auth/EloquentUserProvider.php
@@ -152,28 +152,24 @@ public function validateCredentials(UserContract $user, array $credentials)
             return false;
         }
 
-        if (! $this->hasher->check($plain, $hash = $user->getAuthPassword())) {
-            return false;
-        }
-
-        if ($this->hasher->needsRehash($hash)) {
-            $this->rehashUserPassword($user, $plain);
-        }
-
-        return true;
+        return $this->hasher->check($plain, $user->getAuthPassword());
     }
 
     /**
-     * Rehash the user's password.
+     * Rehash the user's password if required and supported.
      *
      * @param  \Illuminate\Contracts\Auth\Authenticatable  $user
-     * @param  string  $plain
-     * @return void
+     * @param  array  $credentials
+     * @return string|null
      */
-    public function rehashUserPassword(UserContract $user, string $plain): void
+    public function rehashPasswordIfRequired(UserContract $user, array $credentials)
     {
+        if (! $this->hasher->needsRehash($user->getAuthPassword())) {
+            return;
+        }
+
         $user->forceFill([
-            $user->getAuthPasswordName() => $this->hasher->make($plain),
+            $user->getAuthPasswordName() => $this->hasher->make($credentials['password']),
         ])->save();
     }
 
diff --git a/src/Illuminate/Auth/SessionGuard.php b/src/Illuminate/Auth/SessionGuard.php
@@ -384,6 +384,7 @@ public function attempt(array $credentials = [], $remember = false)
         // to validate the user against the given credentials, and if they are in
         // fact valid we'll log the users into the application and return true.
         if ($this->hasValidCredentials($user, $credentials)) {
+            $this->provider->rehashPasswordIfRequired($user, $credentials);
             $this->login($user, $remember);
 
             return true;
@@ -415,6 +416,7 @@ public function attemptWhen(array $credentials = [], $callbacks = null, $remembe
         // the user is retrieved and validated. If one of the callbacks returns falsy we do
         // not login the user. Instead, we will fail the specific authentication attempt.
         if ($this->hasValidCredentials($user, $credentials) && $this->shouldLogin($callbacks, $user)) {
+            $this->provider->rehashPasswordIfRequired($user, $credentials);
             $this->login($user, $remember);
 
             return true;
diff --git a/src/Illuminate/Contracts/Auth/UserProvider.php b/src/Illuminate/Contracts/Auth/UserProvider.php
@@ -46,4 +46,13 @@ public function retrieveByCredentials(array $credentials);
      * @return bool
      */
     public function validateCredentials(Authenticatable $user, array $credentials);
+
+    /**
+     * Rehash the user's password if required and supported.
+     *
+     * @param  \Illuminate\Contracts\Auth\Authenticatable  $user
+     * @param  array  $credentials
+     * @return void
+     */
+    public function rehashPasswordIfRequired(Authenticatable $user, array $credentials);
 }
diff --git a/tests/Auth/AuthDatabaseUserProviderTest.php b/tests/Auth/AuthDatabaseUserProviderTest.php
@@ -3,6 +3,7 @@
 namespace Illuminate\Tests\Auth;
 
 use Illuminate\Auth\DatabaseUserProvider;
+use Illuminate\Auth\EloquentUserProvider;
 use Illuminate\Auth\GenericUser;
 use Illuminate\Contracts\Auth\Authenticatable;
 use Illuminate\Contracts\Hashing\Hasher;
@@ -154,7 +155,6 @@ public function testCredentialValidation()
         $conn = m::mock(Connection::class);
         $hasher = m::mock(Hasher::class);
         $hasher->shouldReceive('check')->once()->with('plain', 'hash')->andReturn(true);
-        $hasher->shouldReceive('needsRehash')->once()->with('hash')->andReturn(false);
         $provider = new DatabaseUserProvider($conn, $hasher, 'foo');
         $user = m::mock(Authenticatable::class);
         $user->shouldReceive('getAuthPassword')->once()->andReturn('hash');
@@ -163,38 +163,60 @@ public function testCredentialValidation()
         $this->assertTrue($result);
     }
 
-    public function testCredentialValidationRequiresRehash()
+    public function testCredentialValidationFailed()
+    {
+        $conn = m::mock(Connection::class);
+        $hasher = m::mock(Hasher::class);
+        $hasher->shouldReceive('check')->once()->with('plain', 'hash')->andReturn(false);
+        $provider = new DatabaseUserProvider($conn, $hasher, 'foo');
+        $user = m::mock(Authenticatable::class);
+        $user->shouldReceive('getAuthPassword')->once()->andReturn('hash');
+        $result = $provider->validateCredentials($user, ['password' => 'plain']);
+
+        $this->assertFalse($result);
+    }
+
+    public function testRehashPasswordIfRequired()
     {
         $hasher = m::mock(Hasher::class);
-        $hasher->shouldReceive('check')->once()->with('plain', 'hash')->andReturn(true);
         $hasher->shouldReceive('needsRehash')->once()->with('hash')->andReturn(true);
         $hasher->shouldReceive('make')->once()->with('plain')->andReturn('rehashed');
+
         $conn = m::mock(Connection::class);
         $table = m::mock(ConnectionInterface::class);
         $conn->shouldReceive('table')->once()->with('foo')->andReturn($table);
         $table->shouldReceive('where')->once()->with('id', 1)->andReturnSelf();
         $table->shouldReceive('update')->once()->with(['password_attribute' => 'rehashed']);
-        $provider = new DatabaseUserProvider($conn, $hasher, 'foo');
+
         $user = m::mock(Authenticatable::class);
         $user->shouldReceive('getAuthIdentifierName')->once()->andReturn('id');
         $user->shouldReceive('getAuthIdentifier')->once()->andReturn(1);
         $user->shouldReceive('getAuthPassword')->once()->andReturn('hash');
         $user->shouldReceive('getAuthPasswordName')->once()->andReturn('password_attribute');
-        $result = $provider->validateCredentials($user, ['password' => 'plain']);
 
-        $this->assertTrue($result);
+        $provider = new DatabaseUserProvider($conn, $hasher, 'foo');
+        $provider->rehashPasswordIfRequired($user, ['password' => 'plain']);
     }
 
-    public function testCredentialValidationFailed()
+    public function testDontRehashPasswordIfNotRequired()
     {
-        $conn = m::mock(Connection::class);
         $hasher = m::mock(Hasher::class);
-        $hasher->shouldReceive('check')->once()->with('plain', 'hash')->andReturn(false);
-        $provider = new DatabaseUserProvider($conn, $hasher, 'foo');
+        $hasher->shouldReceive('needsRehash')->once()->with('hash')->andReturn(false);
+        $hasher->shouldNotReceive('make');
+
+        $conn = m::mock(Connection::class);
+        $table = m::mock(ConnectionInterface::class);
+        $conn->shouldNotReceive('table');
+        $table->shouldNotReceive('where');
+        $table->shouldNotReceive('update');
+
         $user = m::mock(Authenticatable::class);
         $user->shouldReceive('getAuthPassword')->once()->andReturn('hash');
-        $result = $provider->validateCredentials($user, ['password' => 'plain']);
+        $user->shouldNotReceive('getAuthIdentifierName');
+        $user->shouldNotReceive('getAuthIdentifier');
+        $user->shouldNotReceive('getAuthPasswordName');
 
-        $this->assertFalse($result);
+        $provider = new DatabaseUserProvider($conn, $hasher, 'foo');
+        $provider->rehashPasswordIfRequired($user, ['password' => 'plain']);
     }
 }
diff --git a/tests/Auth/AuthEloquentUserProviderTest.php b/tests/Auth/AuthEloquentUserProviderTest.php
@@ -132,7 +132,6 @@ public function testCredentialValidation()
     {
         $hasher = m::mock(Hasher::class);
         $hasher->shouldReceive('check')->once()->with('plain', 'hash')->andReturn(true);
-        $hasher->shouldReceive('needsRehash')->once()->with('hash')->andReturn(false);
         $provider = new EloquentUserProvider($hasher, 'foo');
         $user = m::mock(Authenticatable::class);
         $user->shouldReceive('getAuthPassword')->once()->andReturn('hash');
@@ -141,33 +140,48 @@ public function testCredentialValidation()
         $this->assertTrue($result);
     }
 
-    public function testCredentialValidationRequiresRehash()
+    public function testCredentialValidationFailed()
+    {
+        $hasher = m::mock(Hasher::class);
+        $hasher->shouldReceive('check')->once()->with('plain', 'hash')->andReturn(false);
+        $provider = new EloquentUserProvider($hasher, 'foo');
+        $user = m::mock(Authenticatable::class);
+        $user->shouldReceive('getAuthPassword')->once()->andReturn('hash');
+        $result = $provider->validateCredentials($user, ['password' => 'plain']);
+
+        $this->assertFalse($result);
+    }
+
+    public function testRehashPasswordIfRequired()
     {
         $hasher = m::mock(Hasher::class);
-        $hasher->shouldReceive('check')->once()->with('plain', 'hash')->andReturn(true);
         $hasher->shouldReceive('needsRehash')->once()->with('hash')->andReturn(true);
         $hasher->shouldReceive('make')->once()->with('plain')->andReturn('rehashed');
-        $provider = new EloquentUserProvider($hasher, 'foo');
+
         $user = m::mock(Authenticatable::class);
         $user->shouldReceive('getAuthPassword')->once()->andReturn('hash');
         $user->shouldReceive('getAuthPasswordName')->once()->andReturn('password_attribute');
         $user->shouldReceive('forceFill')->once()->with(['password_attribute' => 'rehashed'])->andReturnSelf();
         $user->shouldReceive('save')->once();
-        $result = $provider->validateCredentials($user, ['password' => 'plain']);
 
-        $this->assertTrue($result);
+        $provider = new EloquentUserProvider($hasher, 'foo');
+        $provider->rehashPasswordIfRequired($user, ['password' => 'plain']);
     }
 
-    public function testCredentialValidationFailed()
+    public function testDontRehashPasswordIfNotRequired()
     {
         $hasher = m::mock(Hasher::class);
-        $hasher->shouldReceive('check')->once()->with('plain', 'hash')->andReturn(false);
-        $provider = new EloquentUserProvider($hasher, 'foo');
+        $hasher->shouldReceive('needsRehash')->once()->with('hash')->andReturn(false);
+        $hasher->shouldNotReceive('make');
+
         $user = m::mock(Authenticatable::class);
         $user->shouldReceive('getAuthPassword')->once()->andReturn('hash');
-        $result = $provider->validateCredentials($user, ['password' => 'plain']);
+        $user->shouldNotReceive('getAuthPasswordName');
+        $user->shouldNotReceive('forceFill');
+        $user->shouldNotReceive('save');
 
-        $this->assertFalse($result);
+        $provider = new EloquentUserProvider($hasher, 'foo');
+        $provider->rehashPasswordIfRequired($user, ['password' => 'plain']);
     }
 
     public function testModelsCanBeCreated()
diff --git a/tests/Auth/AuthGuardTest.php b/tests/Auth/AuthGuardTest.php
@@ -103,6 +103,7 @@ public function testAttemptCallsRetrieveByCredentials()
         $events->shouldReceive('dispatch')->once()->with(m::type(Failed::class));
         $events->shouldNotReceive('dispatch')->with(m::type(Validated::class));
         $guard->getProvider()->shouldReceive('retrieveByCredentials')->once()->with(['foo']);
+        $guard->getProvider()->shouldNotReceive('rehashPasswordIfRequired');
         $guard->attempt(['foo']);
     }
 
@@ -119,6 +120,7 @@ public function testAttemptReturnsUserInterface()
         $user = $this->createMock(Authenticatable::class);
         $guard->getProvider()->shouldReceive('retrieveByCredentials')->once()->andReturn($user);
         $guard->getProvider()->shouldReceive('validateCredentials')->with($user, ['foo'])->andReturn(true);
+        $guard->getProvider()->shouldReceive('rehashPasswordIfRequired')->with($user, ['foo'])->once();
         $guard->expects($this->once())->method('login')->with($this->equalTo($user));
         $this->assertTrue($guard->attempt(['foo']));
     }
@@ -135,6 +137,7 @@ public function testAttemptReturnsFalseIfUserNotGiven()
         $events->shouldReceive('dispatch')->once()->with(m::type(Failed::class));
         $events->shouldNotReceive('dispatch')->with(m::type(Validated::class));
         $mock->getProvider()->shouldReceive('retrieveByCredentials')->once()->andReturn(null);
+        $mock->getProvider()->shouldNotReceive('rehashPasswordIfRequired');
         $this->assertFalse($mock->attempt(['foo']));
     }
 
@@ -159,6 +162,7 @@ public function testAttemptAndWithCallbacks()
         $mock->getProvider()->shouldReceive('retrieveByCredentials')->times(3)->with(['foo'])->andReturn($user);
         $mock->getProvider()->shouldReceive('validateCredentials')->twice()->andReturnTrue();
         $mock->getProvider()->shouldReceive('validateCredentials')->once()->andReturnFalse();
+        $mock->getProvider()->shouldReceive('rehashPasswordIfRequired')->with($user, ['foo'])->once();
 
         $this->assertTrue($mock->attemptWhen(['foo'], function ($user, $guard) {
             static::assertInstanceOf(Authenticatable::class, $user);
@@ -183,6 +187,24 @@ public function testAttemptAndWithCallbacks()
         $this->assertFalse($executed);
     }
 
+    public function testAttemptRehashesPasswordWhenRequired()
+    {
+        [$session, $provider, $request, $cookie, $timebox] = $this->getMocks();
+        $guard = $this->getMockBuilder(SessionGuard::class)->onlyMethods(['login'])->setConstructorArgs(['default', $provider, $session, $request, $timebox])->getMock();
+        $guard->setDispatcher($events = m::mock(Dispatcher::class));
+        $timebox->shouldReceive('call')->once()->andReturnUsing(function ($callback, $microseconds) use ($timebox) {
+            return $callback($timebox->shouldReceive('returnEarly')->once()->getMock());
+        });
+        $events->shouldReceive('dispatch')->once()->with(m::type(Attempting::class));
+        $events->shouldReceive('dispatch')->once()->with(m::type(Validated::class));
+        $user = $this->createMock(Authenticatable::class);
+        $guard->getProvider()->shouldReceive('retrieveByCredentials')->once()->andReturn($user);
+        $guard->getProvider()->shouldReceive('validateCredentials')->with($user, ['foo'])->andReturn(true);
+        $guard->getProvider()->shouldReceive('rehashPasswordIfRequired')->with($user, ['foo'])->once();
+        $guard->expects($this->once())->method('login')->with($this->equalTo($user));
+        $this->assertTrue($guard->attempt(['foo']));
+    }
+
     public function testLoginStoresIdentifierInSession()
     {
         [$session, $provider, $request, $cookie] = $this->getMocks();
@@ -235,6 +257,7 @@ public function testFailedAttemptFiresFailedEvent()
         $events->shouldReceive('dispatch')->once()->with(m::type(Failed::class));
         $events->shouldNotReceive('dispatch')->with(m::type(Validated::class));
         $guard->getProvider()->shouldReceive('retrieveByCredentials')->once()->with(['foo'])->andReturn(null);
+        $guard->getProvider()->shouldNotReceive('rehashPasswordIfRequired');
         $guard->attempt(['foo']);
     }
 
