From 8355f85e0a1e22f64248919a5759458ba897f0ee Mon Sep 17 00:00:00 2001
From: Thomas Lange <code@nerdmind.de>
Date: Sun, 20 Jun 2021 21:23:46 +0200
Subject: Call password_verify directly in login script

---
 admin/auth.php               | 3 ++-
 core/namespace/User/Item.php | 7 -------
 2 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/admin/auth.php b/admin/auth.php
index 8c6d5a6..9674563 100644
--- a/admin/auth.php
+++ b/admin/auth.php
@@ -30,8 +30,9 @@ if(Application::isAuthenticated()) {
 if(HTTP::issetPOST(['token' => Application::getSecurityToken()], 'username', 'password')) {
 	try {
 		$User = User\Factory::buildByUsername(HTTP::POST('username'));
+		$password = $User->getAttribute()->get('password');
 
-		if($User->comparePassword(HTTP::POST('password'))) {
+		if(password_verify(HTTP::POST('password'), $password)) {
 			$_SESSION['auth'] = $User->getID();
 			HTTP::redirect(Application::getAdminURL());
 		}
diff --git a/core/namespace/User/Item.php b/core/namespace/User/Item.php
index a4ab799..e3ecd2b 100644
--- a/core/namespace/User/Item.php
+++ b/core/namespace/User/Item.php
@@ -25,11 +25,4 @@ class Item extends \Item {
 
 		return sha1(implode(NULL, $attributes));
 	}
-
-	#===============================================================================
-	# Compare plaintext password with hashed password from database
-	#===============================================================================
-	public function comparePassword($password): bool {
-		return password_verify($password, $this->Attribute->get('password'));
-	}
 }
-- 
cgit v1.2.3