2

I'm using Cartalyst Sentinel for the user authentication within Laravel. I've created my form to add a new user. For some strange reason the password does not come through Sentinel::register() unless I put the password field into the $fillable array in the User class model. This is a potential security issue. How can I get around this? There must be something I am missing when creating a new user with Sentinel (and the Sentinel documents are very light on useful info).

Just a quick rundown of what I'm doing code wise. I have my array filled with the fields that are required to create a user. This array is passed into Sentinel::register(). It all seems to go through fine, but when I go to look in the database, the password field is blank.

$newUser = array(
    '_token' => Input::get('_token'),
    'email' => Input::get('email'),
    'password' => Input::get('password'),
    'first_name' => Input::get('first_name'),
    'middle_name' => Input::get('middle_name'),
    'last_name' => Input::get('last_name'));

$user = Sentinel::register($newUser);

Just a side note: unfortunately I cannot switch the authentication system. I need to use Sentinel.

zetetic
  • 171
  • 1
  • 13
  • ``Sentinel::register`` uses fill method, so if you want to mass-assign you have to supply ``password`` field in ``$fillable`` on your model. – arma Feb 10 '16 at 01:52

2 Answers2

1

You'd need to set the password option manually on a new user if you don't want to make it a fillable property.

$newUser = array(
'_token' => Input::get('_token'),
'email' => Input::get('email'),
'first_name' => Input::get('first_name'),
'middle_name' => Input::get('middle_name'),
'last_name' => Input::get('last_name'));

$user = Sentinel::register($newUser);

$user->password = Input::get('password');

$user->save();

You probably need to be hashing the password before you set it too, right? Something like $user->password = \Hash::make(Input::get('password'));. Unless Sentinel does that automatically.

Jeff
  • 24,623
  • 4
  • 69
  • 78
  • If password is in the $fillable array, then Sentinel is able to grab the password, hashes it and saves the user to the database. But seems like I may have to do it the way you suggested. Thanks. – zetetic Feb 10 '16 at 01:48
1

Just another way of doing almost same as Jeff's answer. This should work based on Sentinel code, tho i have not used Sentinel. Test before deploying.

$newUser = array(
    '_token' => Input::get('_token'),
    'email' => Input::get('email'),
    'password' => Input::get('password'),
    'first_name' => Input::get('first_name'),
    'middle_name' => Input::get('middle_name'),
    'last_name' => Input::get('last_name')
);

Sentinel::register($newUser, function($user) use ($newUser) {
    try {
        return $user->password = \Hash::make($newUser['password']);
    } catch(RuntimeException $e) {
        return false;
    }
});

Callback runs after fill method, so it should bypass $fillable restriction and you can remove password from fillable if your design requires that.
If false returned in callback then user will not be created.

arma
  • 4,084
  • 10
  • 48
  • 63
  • This method works, and I think I like this way more since it keeps all together. Also, the `$user->hasher->hash()` doesn't exist. Instead I used `\Hash::make($newUser['password']);` – zetetic Feb 10 '16 at 02:46
  • @zetetic oh cool, didn't investigate hash much on the code :) If it works for you then it's okay i guess. – arma Feb 10 '16 at 02:51