archetecture security fix
This commit is contained in:
+8
-2
@@ -708,8 +708,14 @@ class User extends Authenticatable implements JWTSubject
|
||||
{
|
||||
if ($value === null || $value === '') return;
|
||||
|
||||
// Avoid double-hashing
|
||||
$this->attributes['password'] = str_starts_with((string)$value, '$2y$')
|
||||
$value = (string) $value;
|
||||
$hashInfo = password_get_info($value);
|
||||
$hashParts = preg_split('/[:$]/', $value);
|
||||
$isPbkdf2Hash = is_array($hashParts) && count($hashParts) === 4;
|
||||
|
||||
// Avoid double-hashing when callers already pass a password_hash()
|
||||
// value or one of the legacy PBKDF2 hashes used by this codebase.
|
||||
$this->attributes['password'] = (($hashInfo['algo'] ?? null) !== null || $isPbkdf2Hash)
|
||||
? $value
|
||||
: Hash::make($value);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user