1

I'm tryin to import users from Wordpress to Laravel but I can't get the passwords right. When the user logs in I need to check the password against md5 and hash it in bcrypt if it's correct.

I've tried this in AuthenticatesUsers.php login()

//If user got here it means the AUTH was unsuccessful
//Try to log them IN using MD5
if($user = User::where('email', $credentials['email'])->where('password', md5($credentials['password']))->first()){
    //It this condition is true, the user had the right password.

    //encrypt the password using bcrypt
    $user->password = Hash::make($credentials['password']);
    $user->save();

    if (Auth::guard($this->getGuard())->attempt($credentials, $request->has('remember'))) {
        return $this->handleUserWasAuthenticated($request, $throttles);
    }

    return $this->handleUserWasAuthenticated($request, $throttles);

}

I've also tried with Migrating old md5 passwords to bcrypt with Laravel 5.2's built in auth but i can't get it to validate the md5 password.

Community
  • 1
  • 1
mattesj
  • 549
  • 2
  • 8
  • 20
  • What happens in `$user = User::where(...` does it finds the user? – Antonio Carlos Ribeiro Dec 01 '16 at 20:22
  • Yes, it finds the user but it can't validate the md5 password. – mattesj Dec 01 '16 at 20:28
  • If it find the user, the md5 password is already validated, what you are not being able to do is to authenticate your user after hashing the password to bcrypt, I think... the problem may be in `if (Auth::guard($this->getGuard())->attempt($credentials, $request->has('remember')))` – Antonio Carlos Ribeiro Dec 01 '16 at 20:33
  • Maybe I misunderstood you. It finds the user by email but it doesn't run the code inside the brackets because it doesn't validate the password. Does the md5() work for $P$ passwords? – mattesj Dec 01 '16 at 20:45
  • 1
    Are you sure passwords are md5 hashed? This doesnt look like MD5 at all: http://www.passwordtool.hu/wordpress-password-hash-generator-v3-v4 – Antonio Carlos Ribeiro Dec 01 '16 at 20:51
  • You're right, it's Wordpress new hashing method i'm using. Starting with $P$B. Is this possible to reverse in plain text ? – mattesj Dec 01 '16 at 21:10

1 Answers1

3

Use mikemclin/laravel-wp-password to has/check h your passwords:

$password = 'plain-text-password';

$wp_hashed_password = '$P$B7TRc6vrwCfjgKLZLgmN.dmPo6msZR.';

if ( WpPassword::check($password, $wp_hashed_password) ) {
    // Password success!
} else {
    // Password failed :(
}
Antonio Carlos Ribeiro
  • 86,191
  • 22
  • 213
  • 204