使用 Laravel auth::attempt 和散列密码
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/16001362/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Using Laravel auth::attempt with hashed password
提问by Sébastien Lavoie
This seems like a really easy one but I really can't figure it out. I want to use Auth::attempt($credentials)in Laravel 4but with a password that has already been hashed (since it's an API). It works when I send the unhashed password, but I don't understand how to tell Auth to “not hash” the given password.
这看起来很简单,但我真的想不通。我想Auth::attempt($credentials)在Laravel 4 中使用,但密码已经过哈希处理(因为它是一个 API)。当我发送未散列的密码时它起作用,但我不明白如何告诉 Auth “不散列”给定的密码。
Quick “demo”
快速“演示”
What works:
什么工作:
Auth::attempt([Request::getUser(), Request::getPassword()]);
curl --user username:notHashedPassword localhost:8000/api/
What doesn't work:
什么不起作用:
Auth::attempt([Request::getUser(), Request::getPassword()]);
curl --user username:y$xo7HpxFyeF2UKHOYs/e localhost:8000/api/
Are there any arguments I could pass to Auth::attempt()that would tell it to use it as it is instead of trying to rehash it (as I think it does)?
是否有任何我可以传递给Auth::attempt()它的参数会告诉它按原样使用它,而不是试图重新哈希它(正如我认为的那样)?
采纳答案by Phill Sparks
The hashing method used by Laravel generates a different hash each time (even for the same string). You can read more about this in Hashing for Laravel. As you can read, it doesn't hash both strings and compare them, instead it uses the unhashed string to compare with the hash.
Laravel 使用的散列方法每次都会生成不同的散列(即使是同一个字符串)。您可以在Hashing for Laravel 中阅读更多相关信息。如您所见,它不会对两个字符串进行哈希处理并进行比较,而是使用未哈希处理的字符串与哈希进行比较。
If you really do want to do this you'll need to implement your own Auth Provider and a different hashing algorithm that allows you to compare hashes.
如果你真的想这样做,你需要实现你自己的身份验证提供者和不同的散列算法,允许你比较散列。
If you're concerned about security you should consider HTTPS so that secure details (including passwords) are never sent in plain text.
如果您担心安全性,您应该考虑使用 HTTPS,这样安全详细信息(包括密码)就不会以纯文本形式发送。
回答by Mirko Akov
You can login the user manually
您可以手动登录用户
$user = User::find($id);
if ($user->password == Request::getPassword()) {
Auth::login($user->id);
}
回答by tplaner
You really shouldn't be hashing the password before you are sending them. How are you going to be able to hash the password properly prior to sending it without the salt? If you have access to the salt before sending the password then why are you using an API?
在发送密码之前,您真的不应该对密码进行哈希处理。在没有盐的情况下发送密码之前,您将如何正确散列密码?如果您在发送密码之前可以访问盐,那么您为什么要使用 API?
If you are worried about security of passing an un-hashed password, then you should be using SSL to ensure a secure transfer of data.
如果您担心传递未散列密码的安全性,那么您应该使用 SSL 来确保数据的安全传输。
Don't consider an API any different then using a web page -- and you don't salt passwords before you submit a form on a website, instead if you need that level of security you rely on https / SSL.
不要认为 API 与使用网页有任何不同——并且在网站上提交表单之前不要对密码加盐,相反,如果您需要依赖 https/SSL 的安全级别。
