From 0e3d47f2e117ea72774302bd0147de0a24a311d0 Mon Sep 17 00:00:00 2001 From: Thomas Rupprecht Date: Thu, 8 Dec 2022 15:57:13 +0100 Subject: [PATCH] replace md5 with random_bytes and use 64 chars for api_key --- db/factories/User/PasswordResetFactory.php | 2 +- db/factories/User/UserFactory.php | 2 +- ...022_12_06_000000_change_api_key_length.php | 31 +++++++++++++++++++ includes/model/User_model.php | 2 +- src/Controllers/PasswordResetController.php | 2 +- 5 files changed, 35 insertions(+), 4 deletions(-) create mode 100644 db/migrations/2022_12_06_000000_change_api_key_length.php diff --git a/db/factories/User/PasswordResetFactory.php b/db/factories/User/PasswordResetFactory.php index 08a02eb7..42b290b6 100644 --- a/db/factories/User/PasswordResetFactory.php +++ b/db/factories/User/PasswordResetFactory.php @@ -16,7 +16,7 @@ class PasswordResetFactory extends Factory public function definition() { return [ - 'token' => md5($this->faker->unique()->password()), + 'token' => bin2hex(random_bytes(16)), ]; } } diff --git a/db/factories/User/UserFactory.php b/db/factories/User/UserFactory.php index 591d4574..fb021c41 100644 --- a/db/factories/User/UserFactory.php +++ b/db/factories/User/UserFactory.php @@ -19,7 +19,7 @@ class UserFactory extends Factory 'name' => $this->faker->unique()->userName(), 'password' => password_hash($this->faker->password(), PASSWORD_DEFAULT), 'email' => $this->faker->unique()->safeEmail(), - 'api_key' => md5($this->faker->unique()->password()), + 'api_key' => bin2hex(random_bytes(32)), ]; } } diff --git a/db/migrations/2022_12_06_000000_change_api_key_length.php b/db/migrations/2022_12_06_000000_change_api_key_length.php new file mode 100644 index 00000000..95724d56 --- /dev/null +++ b/db/migrations/2022_12_06_000000_change_api_key_length.php @@ -0,0 +1,31 @@ +schema->table('users', function (Blueprint $table) { + $table->string('api_key', 64)->change(); + }); + } + + /** + * Reverse the migration + */ + public function down() + { + $this->schema->table('users', function (Blueprint $table) { + $table->string('api_key', 32)->change(); + }); + } +} diff --git a/includes/model/User_model.php b/includes/model/User_model.php index 20a57ab0..d8a2b2b6 100644 --- a/includes/model/User_model.php +++ b/includes/model/User_model.php @@ -212,7 +212,7 @@ function User_validate_planned_departure_date($planned_arrival_date, $planned_de */ function User_reset_api_key($user, $log = true) { - $user->api_key = md5($user->name . time() . rand()); + $user->api_key = bin2hex(random_bytes(32)); $user->save(); if ($log) { diff --git a/src/Controllers/PasswordResetController.php b/src/Controllers/PasswordResetController.php index 7df1c1c9..26868fcd 100644 --- a/src/Controllers/PasswordResetController.php +++ b/src/Controllers/PasswordResetController.php @@ -76,7 +76,7 @@ class PasswordResetController extends BaseController if ($user) { $reset = (new PasswordReset())->findOrNew($user->id); $reset->user_id = $user->id; - $reset->token = md5(random_bytes(64)); + $reset->token = bin2hex(random_bytes(16)); $reset->save(); $this->log->info(