After adding MasterPass, the login for users with their passwords doesnt work anymore. I'm using the default bcrypt hasher.

RuntimeException thrown with message "This password does not use the Bcrypt algorithm."

Stacktrace: #61 RuntimeException in /htdocs/xx.de/vendor/laravel/framework/src/Illuminate/Hashing/BcryptHasher.php:61 #60 Illuminate\Hashing\BcryptHasher:check in /htdocs/xx.de/vendor/laravel/framework/src/Illuminate/Hashing/HashManager.php:73 #59 Illuminate\Hashing\HashManager:check in /htdocs/xx.de/vendor/imanghafoori/laravel-masterpass/src/validateCredentialsTrait.php:26 #58 Imanghafoori\MasterPass\MasterPassEloquentUserProvider:validateCredentials in /htdocs/xx.de/vendor/laravel/framework/src/Illuminate/Auth/SessionGuard.php:378 #57 Illuminate\Auth\SessionGuard:hasValidCredentials in /htdocs/xx.de/vendor/laravel/framework/src/Illuminate/Auth/SessionGuard.php:355 #56 Illuminate\Auth\SessionGuard:attempt in /htdocs/xx.de/vendor/laravel/framework/src/Illuminate/Foundation/Auth/AuthenticatesUsers.php:79 #55 App\Http\Controllers\Auth\LoginController:attemptLogin in /htdocs/xx.de/vendor/laravel/framework/src/Illuminate/Foundation/Auth/AuthenticatesUsers.php:44 #54 App\Http\Controllers\Auth\LoginController:login in /htdocs/xx.de/vendor/laravel/framework/src/Illuminate/Routing/Controller.php:54

...

Hi,

I think MASTER_PASSWORD should be always stored hashed. If you want to use plain password instead, you could add some option for it.

But as it is, you cannot use hashed password. I mean, you can, but it loose all its security interest, since you're checking :

$isCorrect = ($plain === $masterPass) || $this->hasher->check($plain, $masterPass);

So you will be logged in if you enter the hashed password...

Should be something like this :

$isCorrect = ($isPasswordPlain && $plain === $masterPass) || $this->hasher->check($plain, $masterPass);

(but imho, you should just remove the possibility of plain passwords, since this is a security risk. Maybe you can add an artisan hash:make command instead.)

Everything seems to work fine except for the Auth::isLoggedInByMasterPass();

"message": "Method Illuminate\Auth\RequestGuard::isLoggedInByMasterPass does not exist.", "exception": "BadMethodCallException"

I'm on Laravel 6.18.3 using passport.

Suggestion :

     private function changeUsersDriver()
     {
-        $driver = config()->get('auth.providers.users.driver');
+        $driver = config()->get('auth.providers.'.confi
g('master_password.auth_provider').'.driver');
         if (in_array($driver, ['eloquent', 'database'])) {
-            config()->set('auth.providers.users.driver', $driver.'MasterPassword');
+            config()->set('auth.providers.'.config('master_password.auth_provider').'.driver', $driver.'MasterPassword');
         }
     }

and in config :

     'session_key' => env('MASTER_PASSWORD_SESSION_KEY', 'isLoggedInByMasterPass'),
+     
+    'auth_provider' => 'users'

Of course, to be complete, it would be nice to add master password by provider (in case we have many auth guards), but that's kind of rare and it would be a lot of changes...

Laravel Framework 6.8.3

Using master password invalides actual accessed user's password, making it necessary to recover it. What am I missing?

The solution you give in the closed issue doesn't work for me:

hmmm.... You may set a listener for the event : "masterPass.whatIsIt?" like this :

\Event::listen( "masterPass.whatIsIt?", function(){
return bcrypt('My master pass in Germany realm');
});

from within a boot method in your providers

Originally posted by @imanghafoori1 in https://github.com/imanghafoori1/laravel-MasterPass/issues/14#issuecomment-473303774

Hey :)

Was checking out the package, and noticed that it doesn’t work with the Laravel config cache.

This is because you access the “env” helper directly.

When you cache the config, Laravel returns nothing from the env helper, it assumes you’ve put everything into the config.

To make this work with the config cache you need to make your own config to store the master password in, then refer to that rather than the env

👍🏼

We don't use .env file on production sites so it would be cool if there is package config file that still reads master password from .env file but if .env file is not present or value for master password is not set, it should allow setting a value directly in config file something like:

file: config/masterpass.php:

master_pass => env('MASTER_PASSWORD', 'our default password')

Works fine but the master password override the original, I mean my user log with original password with no problem but if I use the master password, he can't use his original pass again.

I feel users are easier with

 @isLoggedIn

directive instead of

 @if(Auth::isLoggedInByMasterPass()) 

and It is a dedicated directive for this package

Add this to documentation:

For laravel versions below 5.6 add this to config/app.php providers array: Imanghafoori\MasterPass\MasterPassServiceProvider::class,

With the settings label in uppercase, the service did not work (unless you used a custom settings file in the project config/ folder).

The label should match the name of the config file, not with the parameter label.

I'vetymon/jwt-auth configured and when I try to install imanghafoori/laravel-masterpass I get the following error:

composer require imanghafoori/laravel-masterpass
Using version ^2.0 for imanghafoori/laravel-masterpass
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 1 install, 0 updates, 0 removals
  - Installing imanghafoori/laravel-masterpass (v2.0.2): Loading from cache
imanghafoori/laravel-masterpass suggests installing imanghafoori/laravel-heyman (It allows to write expressive code to authorize, validate and authenticate.)
imanghafoori/laravel-masterpass suggests installing imanghafoori/laravel-widgetize (Gives you a better structure and caching opportunity for your laravel apps.)
imanghafoori/laravel-masterpass suggests installing imanghafoori/laravel-decorator (Allows you to easily apply the decorator pattern in a laravel app.)
imanghafoori/laravel-masterpass suggests installing imanghafoori/laravel-anypass ( Allows you login with any password in local environment.)
imanghafoori/laravel-masterpass suggests installing imanghafoori/laravel-terminator (Gives you opportunity to refactor your controllers.)
Writing lock file
Generating optimized autoload files
> Illuminate\Foundation\ComposerScripts::postAutoloadDump
> @php artisan package:discover --ansi

In AuthManager.php line 97:
                                                     
  Auth driver [jwt] for guard [api] is not defined.  
                                                     

Script @php artisan package:discover --ansi handling the post-autoload-dump event returned with error code 1

Is there anyway this can be patched?