Yii（Php Crypt）和Laravel Sentinel之间的哈希密码兼容性 [英] Hash password compatibility between Yii ( Php Crypt ) and Laravel Sentinel

问题描述

目的是能够在新系统中用旧用户/新用户登录，旧分贝。

我首先要解决模型问题：

自定义模型和字段与Sentinel / Laravel

$ p
$ b

我有一个最后一个问题，它似乎是以不同方式散列密码。

当我检查Yii中的散列方法时，我可以发现它使用Blowfish算法：

  / * * 
 * CPasswordHelper为安全密码散列和验证提供了一个简单的API。 
 * 
 * CPasswordHelper通过PHP {@link http://php.net/manual/en/function.crypt.php使用许多PHP运行时
 *环境中可用的Blowfish散列算法crypt（）} 
 *内置函数。截至2012年12月，它是PHP 
 *中最强大的算法，也是唯一没有围绕它的安全问题的算法。因此，
 * CPasswordHelper在运行时以及没有
 * crypt（）及其Blowfish选项的环境中无法初始化。带有选项的系统包括：
 *（1）自PHP 4以来的大多数* nix系统（该算法是库函数crypt（3）的一部分）; 
 *（2）自5.3.0起的所有PHP系统; （3）具有
 * {@link http://www.hardened-php.net/suhosin/ Suhosin补丁}的所有PHP系统。 
 *有关密码散列，crypt（）和Blowfish的更多信息，请阅读
 * Yii Wiki文章
 * {@link http://www.yiiframework.com/wiki/425 / use-crypt-for-password-storage /使用crypt（）进行密码存储}。 
 *和
 * PHP RFC {@link http://wiki.php.net/rfc/password_hash添加简单密码散列API}。 
 * 
 *如果运行时PHP的crypt（）函数中的Blowfish散列算法不是
 *，CPasswordHelper会抛出异常。它可以如下使用：
 * 
  

另一方面，Sentinel管理多种哈希方法：

 本地加密器
加密散列器
回调散列器
 Whirlpool散列器
 SHA256 hasher 
  

所以，我猜想常用的方法是bcrypt，在我的Laravel模型中我做到了： p>

  class Administrador extends EloquentUser {
 
保护$ table = 'administrador'; 
 protected $ fillable = []; 
保护$ primaryKey ='administradorid'; 
保护$ loginNames = ['correo']; 
 
保护$守卫= ['administradorid']; 
保护$隐藏= ['contrasena'，'remember_token']; 
使用SoftDeletes; 
 
保护$日期= ['deleted_at']; 
 / ** 
 *将Sentry User Model Hasher设置为与配置的Sentry Hasher相同
 * / 
 public static function boot（）
 {
 parent :: boot（）; 
 Sentinel :: setHasher（new BcryptHasher）; 
 
 
 
 
 
 
真的，我没有真正知道该怎么做才能解决这个问题.... 
解决方案
例如： Cartalyst\Sentinal\Hashing\HasherInterface 的实现 
 
 
 使用Cartalyst\Sentinel\Hashing\HasherInterface; 
 
类CombinedHasher实现了HasherInterface 
 {
 / ** 
 * @var HasherInterface 
 * / 
 private $ primary; 
 
 / ** 
 * @var HasherInterface 
 * / 
 private $ fallback; 
 $ b / ** 
 * @param HasherInterface $ primary 
 * @param HasherInterface $ fallback 
 * / 
公共函数__construct（HasherInterface $ primary，HasherInterface $ fallback）
 {
 $ this-> primary = $ primary; 
 $ this-> fallback = $ fallback; 
} 
 
 / ** 
 *散列给定值。 
 * 
 * @param string $ value 
 * @return string 
 * @throws \RuntimeException 
 * / 
公共函数hash（$ value） 
 {
 return $ this-> primary-> hash（$ value）; 
} 
 
 / ** 
 *根据哈希值检查字符串。 
 * 
 * @param string $ value 
 * @param string $ hashedValue 
 * @return bool 
 * / 
 public function check（$ value， $ 
 if（$ this-> primary-> check（$ value，$ hashedValue））{
 return true; $ hashedValue）
 {
 if 
} 
 
 return $ this-> fallback-> check（$ value，$ hashedValue）; 
 
 
 
 
 
 
 $ b 
正如你所看到的，它需要两个 HasherInterface 。因此，在这种情况下，您将首先注入您希望使用的新实现，然后创建实现Yii使用的哈希算法的接口的实现。
 
 
 
在检查散列它将首先使用新的散列算法。如果返回 false ，它也将使用回退（Yii算法）进行检查。要创建散列，它只会使用新的散列算法。 （你可能想要改变它的开发方式，但是你不应该使用生产数据库来开发）。
 
 
所以你下一步要做的是创建一个 HasherInterface 它将使用Yii正在使用的散列算法： 
 
 
 使用Cartalyst \\Sentinel\Hashing\HasherInterface; 
 
类YiiHasher实现HasherInterface 
 {
 / ** 
 *散列给定的值。 
 * 
 * @param string $ value 
 * @return string 
 * @throws \RuntimeException 
 * / 
公共函数hash（$ value） 
 {
 //你必须实现这个
 return yiiHasher（$ value）; 
} 
 
 / ** 
 *根据哈希值检查字符串。 
 * 
 * @param string $ value 
 * @param string $ hashedValue 
 * @return bool 
 * / 
 public function check（$ value， $ hashedValue）
 {
 //你必须实现这个
返回yiiHashChecker（$ value，$ hashedValue）; 
 
 
 
 
 $ b 
你必须检查Yii是否有包装为此，或者你必须检查他们的源代码，看它是如何工作的。
 
 
 
所以要使用它，你需要创建一个 CombinedHasher 像这样：
 使用Cartalyst \ Sentinel \ Hashing \BcryptHasher; 
使用Namespace \For\Your\YiiHasher; 
 
 $ primary = new BcryptHasher（）; 
 $ fallback = new YiiHasher（）; 
 $ hasher = new CombinedHasher（$ primary，$ fallback）; 
  
 更新1：文档中的额外信息 
 
 
 
在实际阅读他们的文档之后，我注意到他们还提供了一个 CallbackHasher ，这可能不太方便设置： https://cartalyst.com/manual/sentinel/2.0#callback-hasher  
 
 
 
他们还建议在 BcryptHasher 上使用 NativeHasher ： https://cartalyst.com/manual/sentinel/2.0#native-hasher  
 
 
 
 更新2：在哪里设置 您可以在<$ c $中创建它们C>应用程序/散列。然后你必须确保它们的名称空间 App \ Hashing 。
 
 
 
可以使用位于 app / Providers / AppServiceProvider.php 中的 AppServiceProvider 。
  //导入顶部
中的类使用App \ Hashing\CombinedHasher; 
使用App \Hashing\YiiHasher; 
使用Cartalyst\Sentinel\Hashing\NativeHasher; 
 
 //在AppServiceProvider类本身中
 public function boot（）
 {
 $ hasher = $ this-> app ['Cartalyst\Sentinel\ Hashing\HasherInterface']; 
 Sentinel :: setHasher（$ hasher）; 
 
 $ b $ public function register（）
 {
 $ this-> app-> singleton（'Cartalyst\Sentinel\Hashing\HasherInterface' ，函数（$ app）{
 $ primary = new NativeHasher（）; 
 $ secondary = new YiiHasher（）; 
 
返回新的CombinedHasher（$ primary，$ secondary）; 
}）; 
} 
  
 
I'm building a laravel app using Sentinel, based in an old system code in Yii.

Purpose is be able to login in new system with old users / old db.

I first has to resolved model issue: 

Custom Model and fields with Sentinel / Laravel

Now, it is ok.

I have a last issue, it seems to be hashing password from different ways.

When I check the hash method in Yii, I can find that it use Blowfish algorithm:
    /**
 * CPasswordHelper provides a simple API for secure password hashing and verification.
 *
 * CPasswordHelper uses the Blowfish hash algorithm available in many PHP runtime
 * environments through the PHP {@link http://php.net/manual/en/function.crypt.php crypt()}
 * built-in function. As of Dec 2012 it is the strongest algorithm available in PHP
 * and the only algorithm without some security concerns surrounding it. For this reason,
 * CPasswordHelper fails to initialize when run in and environment that does not have
 * crypt() and its Blowfish option. Systems with the option include:
 * (1) Most *nix systems since PHP 4 (the algorithm is part of the library function crypt(3));
 * (2) All PHP systems since 5.3.0; (3) All PHP systems with the
 * {@link http://www.hardened-php.net/suhosin/ Suhosin patch}.
 * For more information about password hashing, crypt() and Blowfish, please read
 * the Yii Wiki article
 * {@link http://www.yiiframework.com/wiki/425/use-crypt-for-password-storage/ Use crypt() for password storage}.
 * and the
 * PHP RFC {@link http://wiki.php.net/rfc/password_hash Adding simple password hashing API}.
 *
 * CPasswordHelper throws an exception if the Blowfish hash algorithm is not
 * available in the runtime PHP's crypt() function. It can be used as follows
 *
In the other hand, Sentinel manage several hash methods:
Native hasher
Bcrypt hasher
Callback hasher
Whirlpool hasher
SHA256 hasher
So, I guessed the common method was bcrypt, and in my Laravel model I did:



class Administrador extends EloquentUser {

    protected $table = 'administrador';
    protected $fillable = [];
    protected $primaryKey = 'administradorid';
    protected $loginNames = ['correo'];

    protected $guarded = ['administradorid'];
    protected $hidden = ['contrasena', 'remember_token'];
    use SoftDeletes;

    protected $dates = ['deleted_at'];
    /**
     * Set the Sentry User Model Hasher to be the same as the configured Sentry Hasher
     */
    public static function boot()
    {
        parent::boot();
        Sentinel::setHasher(new BcryptHasher);

    }
}
So really, I don't really know what to do to solve it....
解决方案
What you can do to support both systems at this time is create an implementation of the Cartalyst\Sentinal\Hashing\HasherInterface like this for example:
use Cartalyst\Sentinel\Hashing\HasherInterface;

class CombinedHasher implements HasherInterface
{
    /**
     * @var HasherInterface
     */
    private $primary;

    /**
     * @var HasherInterface
     */
    private $fallback;

    /**
     * @param HasherInterface $primary
     * @param HasherInterface $fallback
     */
    public function __construct(HasherInterface $primary, HasherInterface $fallback)
    {
        $this->primary = $primary;
        $this->fallback = $fallback;
    }

    /**
     * Hash the given value.
     *
     * @param  string $value
     * @return string
     * @throws \RuntimeException
     */
    public function hash($value)
    {
        return $this->primary->hash($value);
    }

    /**
     * Checks the string against the hashed value.
     *
     * @param  string $value
     * @param  string $hashedValue
     * @return bool
     */
    public function check($value, $hashedValue)
    {
        if ($this->primary->check($value, $hashedValue)) {
            return true;
        }

        return $this->fallback->check($value, $hashedValue);
    }
}
As you can see it takes two instances of the HasherInterface. So in this case you would inject the new implementation you want you use first and then create an implementation of the interface which implements the hashing algorithm Yii is using.

While checking the hash it will first use the new hashing algorithm. If this returns false it will also check using the fallback (Yii algorithm). To create hashes it will only use the new hashing algorithm. (You might want to change this for development however you should not develop using the production database anyways.)

So what you have to do next is create an implementation of the HasherInterface which will use the hashing algorithm Yii is using:
use Cartalyst\Sentinel\Hashing\HasherInterface;

class YiiHasher implements HasherInterface
{
    /**
     * Hash the given value.
     *
     * @param  string $value
     * @return string
     * @throws \RuntimeException
     */
    public function hash($value)
    {
        // You'll have to implement this
        return yiiHasher($value);
    }

    /**
     * Checks the string against the hashed value.
     *
     * @param  string $value
     * @param  string $hashedValue
     * @return bool
     */
    public function check($value, $hashedValue)
    {
        // You'll have to implement this
        return yiiHashChecker($value, $hashedValue);
    }
}
You'll have to check whether Yii has a package for this or you'll have to check their source code to see how it works.

So to use this you would create an instance of the CombinedHasher like this:
use Cartalyst\Sentinel\Hashing\BcryptHasher;
use Namespace\For\Your\YiiHasher;

$primary = new BcryptHasher();
$fallback = new YiiHasher();
$hasher = new CombinedHasher($primary, $fallback);
Update 1: Extra info from the documentation

After actually reading through their documentation I noticed they also provide a CallbackHasher which might be less work to set up: https://cartalyst.com/manual/sentinel/2.0#callback-hasher

They also recommend using the NativeHasher over the BcryptHasher: https://cartalyst.com/manual/sentinel/2.0#native-hasher

Update 2: Where to set up

You could for example create them in app/Hashing. Then you'd have to make sure they have the namespace App\Hashing.

To set this up you can use your AppServiceProvider which is located in app/Providers/AppServiceProvider.php.
// Import the classes on the top
use App\Hashing\CombinedHasher;
use App\Hashing\YiiHasher;
use Cartalyst\Sentinel\Hashing\NativeHasher;

// In the AppServiceProvider class itself
public function boot()
{
    $hasher = $this->app['Cartalyst\Sentinel\Hashing\HasherInterface'];
    Sentinel::setHasher($hasher);
}

public function register()
{
    $this->app->singleton('Cartalyst\Sentinel\Hashing\HasherInterface', function($app) {
        $primary = new NativeHasher();
        $secondary = new YiiHasher();

        return new CombinedHasher($primary, $secondary);
    });
}


                        
这篇关于Yii（Php Crypt）和Laravel Sentinel之间的哈希密码兼容性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！