Replaced account password verification through "sudo doveadm" with password_verify() call

2020-05-24 14:29:06 +02:00 · 2020-05-24 14:29:06 +02:00 · 1269a40f3f
commit 1269a40f3f
parent 50f16788f9
2 changed files with 10 additions and 36 deletions
--- a/app/DovecotPw.php
+++ b/app/DovecotPw.php
@ -1,5 +1,6 @@
 <?php
 namespace App;
+use App\User;

 class DovecotPw
 {
@ -27,32 +28,4 @@ class DovecotPw
        return $lines[0];
    }

-    public static function Validate($user, $password)
-    {
-        $fp = [];
-        $m = static::$method;
-        $r = static::$rounds;
-        $proc = proc_open(  "'sudo' '/usr/bin/doveadm' 'auth' 'test' '-x' 'service=imap' '{$user}'",
-                            [0 => ["pipe","r"], 1 => ["pipe", "w"], 2 => ["pipe", "w"]],
-                            $fp);
-
-        // write password
-        fwrite($fp[0],$password . "\n");
-
-        // retrieve hash
-        $s = fread($fp[1],512);
-
-        // and only return the parts before the first line end
-        $lines = preg_split("/\r\n|\n|\r/", $s);
-        if(preg_match('/(.*)auth succeeded$/',$lines[0]))
-        {
-           return true;
-        }
-        else 
-        {
-            return false;
-        }
-
-    }
-
 }
--- a/app/Http/Controllers/AccountPwController.php
+++ b/app/Http/Controllers/AccountPwController.php
@ -57,13 +57,6 @@ class AccountPwController extends Controller
                'newpass' => ['required', 'string',],
            ]);

-            // now validate if proper password credentials were sent
-            $validCredentials = DovecotPw::Validate($validatedData['username'],$validatedData['pass']);
-            if(!$validCredentials)
-            {
-                throw new ErrorException("Username/Password do not match");
-            }
-        
            // split account into user and domain
            $dparts = explode('@',$validatedData['username'],2);
            $username = $dparts[0];
@ -71,9 +64,17 @@ class AccountPwController extends Controller

            // retrieve proper account
            $account = Account::where('username',$username)->where('domain', $domain)->firstOr(function(){
-                throw new  ErrorException('Account not found');
+                throw new ErrorException("Username not recognized");
            });

+            // now validate if proper password credentials were sent
+            $hash = preg_replace("/^\{.*?\}/","",$account->password);
+            $validCredentials = password_verify($validatedData['pass'],$hash);
+            if(!$validCredentials)
+            {
+                throw new ErrorException("Username/Password combination not recognized");
+            }
+
            // Check if password meets policy and set if so

            if(Entropy::Calculate($validatedData['newpass']) < static::MinimumEntropy) {