How to use Bcrypt strategy in new application?

This extension is useful, but i didn't still use it. I open a topic on Stackoverflow: http://stackoverflow.com/questions/15714387/yiipassword-extension-usage

I very tried any way, i want now you how to use this extension for your application? Mainly encode the user password and verify it at user-login.

It would be nice if you'd tag your versions so that we can use this extension properly through Composer.

I would also strongly suggest that you use Git flow to manage the versioning of the project. http://nvie.com/posts/a-successful-git-branching-model/

• Adds support for PSR-0 (Enable PSR-0 autoloading)
• Fixes useless test in ABcryptPasswordStrategy.php
• Uses idiomatic markdown instead of HTML
• Support for HTTP-Digest Strategy
• Bug Fix an infinite loop during save

I would like to suggest a change to the casing of the project name to yiipassword as Composer uses lowercase letters for project names. That's also the way GitHub prefers the projects to be named.

Would this be possible?

Hi there,

I am making extensive use of your extension that I think is awesome but found a new line on your code at APasswordBehavior class:

Yii::import("packages.passwordStrategy.*");

IMHO there is no need for this inclusion and also it is not specified on the README file.

There was 1 error:

1. ABcryptPasswordStrategyTest::testEncode CException: Alias "packages.passwordStrategy.*" is invalid. Make sure it points to an existing directory or file.

C:\Apache2\htdocs\yii\framework\YiiBase.php:343 C:\Apache2\htdocs\x\protected\components\YiiPassword\APasswordBehavior.php:2 C:\Apache2\htdocs\yii\framework\YiiBase.php:423 C:\Apache2\htdocs\yii\framework\YiiBase.php:298 C:\Apache2\htdocs\yii\framework\YiiBase.php:198 C:\Apache2\htdocs\yii\framework\base\CComponent.php:327 C:\Apache2\htdocs\yii\framework\base\CComponent.php:298 C:\Apache2\htdocs\yii\framework\db\ar\CActiveRecord.php:389 C:\Apache2\htdocs\x\protected\models\User.php:28 C:\Apache2\htdocs\x\protected\tests\unit\ABcryptPasswordStrategyTest.php:22 C:\php\phpunit:46

FAILURES! Tests: 1, Assertions: 2, Errors: 1.

more: http://www.yiiframework.com/forum/index.php/topic/30077-yii-password-strategies/page__view__findpost__p__199149

by execution of changePassword will be good to save only related fields:

--- APasswordBehavior.php   2012-12-09 18:03:26.000000000 +0200
+++ APasswordBehavior.php.new   2012-12-09 18:06:35.000000000 +0200
@@ -187,7 +187,7 @@
    {
        $owner = $this->getOwner(); /* @var CActiveRecord $owner */
        $this->changePasswordInternal($password);
-       return $owner->save($runValidation);
+       return $owner->save($runValidation, array($this->passwordAttribute, $this->saltAttribute, $this->strategyAttribute));
    }
 
    /**

You will most likely need to re-configure the service hook for Packagist because you renamed the package. The package is currently not being updated so the version tags I pushed are not available through composer.

Alternatively you can give me administration privileges so that I can fix this myself.

Put "" in front of Yii to make sure the autoload takes it from the base name space rather than what define in the file.

I used PHP 5.3.5. May be in other version of PHP doesn't have this problem? I'm not sure about this.

I want change password, but befor i want verify current password that is correct. my controller is:

    public function actionCPass()
    {
        $model=$this->loadModel(Yii::app()->user->id);
        $model->scenario='CPass';
        $this->performAjaxValidation($model,'pass-form');

        if(isset($_POST['User']))
        {
            $model->attributes=$_POST['User'];
            $validate=$model->validate();

            if(!$validate and Yii::app()->request->isAjaxRequest)
                $this->getErrorSummary($model);

            if($validate)
            if($model->changePassword($model->newPass))
                if(Yii::app()->request->isAjaxRequest)
                    Yii::app()->end(CJSON::encode(array('status'=>'success')));
                else
                    Yii::app()->user->setFlash('status','success');
        }

        if(Yii::app()->request->isAjaxRequest)
            $this->renderPartial('_cpass',array('model'=>$model),false,true);
        else
            $this->render('update',array('model'=>$model,'form'=>'_cpass'));
    }

model is:

<?php
/**
 * This is the model class for table "tbl_user".
 *
 * The followings are the available columns in table 'tbl_user':
 * @property integer $id
 * @property string $username
 * @property string $password
 * @property string $email
 * @property string $salt
 * @property string $strategy
 */
class User extends CActiveRecord
{

    public $currentPass;
    public $newPass;
    public $newPass_repeat;
    /**
    ...

    public function behaviors()
    {
        return array(
            "APasswordBehavior" => array(
                "class" => "APasswordBehavior",
                "defaultStrategyName" => "bcrypt",
                "strategies" => array(
                    "bcrypt" => array(
                        "class" => "ABcryptPasswordStrategy",
                        "workFactor" => 10,
                        'minLength' => 4,
                    ),
                ),
            )
        );
    }

    public function rules()
    {
            return array(
            array('currentPass,newPass','required', 'on'=>'CPass', 'message'=>'Required'),
            array('newPass','length','min'=>4,'tooShort'=>'At last 4 char'),
            array('newPass', 'compare', 'on'=>'CPass', 'message'=>'Didn't match'),
            array('newPass_repeat', 'safe', 'on'=>'CPass'), 
            array('currentPass','verify_password', 'on'=>'CPass'),
        );
    }


    public function verify_password()
    {
        if(!$this->hasErrors())
            if($this->verifyPassword($this->currentPass)==false)
                $this->addError('currentPass','current Password don't correct');
            else
                $this->clearErrors('currentPass');
    }

The problem is: public function verify_password() in model(Rules) runs twice. in fact validation runs twice, one in $model->validate() and other in $model->changePassword. My current temporally practice is: $model->changePassword($model->newPass,false). How can i verify password in model Rules?

In verify password why do you use

if (!$strategy->compare($password,$owner->{$this->passwordAttribute}))

istead of

if (!$strategy->compare($password, $this->_hashedPassword)

This way I can't use same attribute for verification (on update for example when i need old password) like:

if ($this->verifyPassword($this->password))

Notice the breaking changes on the commit April 17th.

Do you have a strategy for introducing breaking changes? How should someone use this lib without risking future breaks?

The way this behavior works now, you hand out the hashed password to the user during an update. If the password content equals the hashed content, the password is not changed.

I don't particularly like the idea of sending pw hashes to the user. And it makes the behavior logic unneccessarly complex, as you have to save the original DB value in afterFind().

I'd find it much better, if the behavior used a dedicated property for new passwords from forms:

class X extends CActiveRecord
{
    // Used in forms to let users enter a *new* password
    public $newPassword;
    //...
}

The DB column (e.g. password) is never exposed to the user, only newPassword is. You can think of it as a one-way road for new passwords into our DB. Only if newPassword is not empty, a new hashed password is written to password.

This would simplify the behavior code quite a bit - and make it more transparent to the user, in case he wants to add additional validation to the newPassword column.