-
-
Notifications
You must be signed in to change notification settings - Fork 68
/
Copy pathwp-password-bcrypt.php
157 lines (137 loc) · 4.15 KB
/
wp-password-bcrypt.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
<?php
/**
* Plugin Name: WP Password bcrypt
* Plugin URI: https://github.com/roots/wp-password-bcrypt
* Description: Replaces wp_hash_password and wp_check_password with password_hash and password_verify.
* Author: Roots
* Author URI: https://roots.io
* Version: 1.1.0
* Licence: MIT
*/
/**
* Determine if the plaintext password matches the encrypted password hash.
*
* If the password hash is not encrypted using the PASSWORD_DEFAULT (bcrypt)
* algorithm, the password will be rehashed and updated once verified.
*
* @link https://www.php.net/manual/en/function.password-verify.php
* @link https://www.php.net/manual/en/function.password-needs-rehash.php
*
* @param string $password The password in plaintext.
* @param string $hash The hashed password to check against.
* @param string|int $user_id The optional user ID.
* @return bool
*
* @SuppressWarnings(PHPMD.CamelCaseVariableName) $wp_hasher
*/
function wp_check_password(
#[\SensitiveParameter]
$password,
#[\SensitiveParameter]
$hash,
$user_id = ''
) {
if (! password_needs_rehash($hash, PASSWORD_DEFAULT, apply_filters('wp_hash_password_options', []))) {
return apply_filters(
'check_password',
password_verify($password, $hash),
$password,
$hash,
$user_id
);
}
global $wp_hasher;
if (empty($wp_hasher)) {
require_once ABSPATH . WPINC . '/class-phpass.php';
$wp_hasher = new PasswordHash(8, true);
}
if (! empty($user_id) && $wp_hasher->CheckPassword($password, $hash)) {
$hash = wp_set_password($password, $user_id);
}
return apply_filters(
'check_password',
password_verify($password, $hash),
$password,
$hash,
$user_id
);
}
/**
* Hash the provided password using the PASSWORD_DEFAULT (bcrypt)
* algorithm.
*
* @link https://www.php.net/manual/en/function.password-hash.php
*
* @param string $password The password in plain text.
* @return string
*/
function wp_hash_password(
#[\SensitiveParameter]
$password
) {
return password_hash(
$password,
PASSWORD_DEFAULT,
apply_filters('wp_hash_password_options', [])
);
}
/**
* Hash and update the user's password.
*
* @param string $password The new user password in plaintext.
* @param int $user_id The user ID.
* @return string The new hashed password.
*/
function wp_set_password(
#[\SensitiveParameter]
$password,
$user_id
) {
$old_user_data = get_userdata($user_id);
$hash = wp_hash_password($password);
$is_api_request = apply_filters(
'application_password_is_api_request',
(defined('XMLRPC_REQUEST') && XMLRPC_REQUEST) ||
(defined('REST_REQUEST') && REST_REQUEST)
);
if (! $is_api_request) {
global $wpdb;
$wpdb->update($wpdb->users, [
'user_pass' => $hash,
'user_activation_key' => ''
], ['ID' => $user_id]);
clean_user_cache($user_id);
/**
* Fires after the user password is set.
*
* @param string $password The plaintext password just set.
* @param int $user_id The ID of the user whose password was just set.
* @param WP_User $old_user_data Object containing user's data prior to update.
*/
do_action('wp_set_password', $password, $user_id, $old_user_data);
return $hash;
}
if (
! class_exists('WP_Application_Passwords') ||
empty($passwords = WP_Application_Passwords::get_user_application_passwords($user_id))
) {
return $hash;
}
global $wp_hasher;
if (empty($wp_hasher)) {
require_once ABSPATH . WPINC . '/class-phpass.php';
$wp_hasher = new PasswordHash(8, true);
}
foreach ($passwords as $key => $value) {
if (! $wp_hasher->CheckPassword($password, $value['password'])) {
continue;
}
$passwords[$key]['password'] = $hash;
}
update_user_meta(
$user_id,
WP_Application_Passwords::USERMETA_KEY_APPLICATION_PASSWORDS,
$passwords
);
return $hash;
}