1

I am trying to make a more secure version of Laravels included authentication system, by adding a salt to the passwords. But i don't know how to use a custom authentication function. I made one and it looks like this:

public function authenticate(Request $request)
{
    $user = User::where('email', $request->email)->first();

    $password = bcrypt($request->password . $user->salt);

    if (Auth::attempt(['email' => $request->email, 'password' => $password])) {
        return redirect()->intented();
    }
}

I tried doing this from Laravels documentation (5.2)

So to specify it: I can't add a salt to Laravels Auth system, i tried doing it with the function above, but i do not know how to use it?

So can you please help me?

Jonas Hoffmann
  • 305
  • 1
  • 9

2 Answers2

1

Short answer: DON'T DO THAT

You're using the bcrypt hasher that comes with Laravel, and bcrypt has salts built-in to prevent rainbow table attacks, so you don't need to add the salt yourself. The answer linked below explains nicely how the salt is stored in the password itself:

How can bcrypt have built-in salts?

Community
  • 1
  • 1
Bogdan
  • 43,166
  • 12
  • 128
  • 129
0

A better way is to override the authentication routine to add a custom guard to your project. Follow these instructions: Adding Custom Guards

You can extend the Illuminate\Auth\EloquentUserProvider and override the validateCredentials method like this:

/**
 * Validate a user against the given credentials.
 *
 * @param  \Illuminate\Contracts\Auth\Authenticatable  $user
 * @param  array  $credentials
 * @return bool
 */
public function validateCredentials(UserContract $user, array $credentials)
{
    $password = bcrypt($credentials['password'] . $user->salt);
    return $this->hasher->check($password, $user->getAuthPassword());
}
Fiete
  • 1,332
  • 11
  • 12