Move password_verify_hash_column handling from login into a member function

Author: nathanjrobertson

src/Auth/Source/SQL2.php

@@ -396,6 +396,89 @@ protected function executeQuery(PDO $db, string $query, array $params): array
     }
 
 
+    /**
+     * Authenticate using the optional password_verify() support against a hash retrieved from the database.
+     *
+     * @param string $queryname   Name of the auth query being processed
+     * @param array $queryConfig  Configuration from authsources.php for this auth query
+     * @param array $data         Result data from the database query
+     * @param string $password    Password to verify with password_verify()
+     * @return bool  True if password_verify() password verification succeeded, false otherwise
+     */
+    protected function authenticatePasswordVerifyHash(
+        string $queryname,
+        array $queryConfig,
+        array $data,
+        string $password,
+    ): bool {
+        // If password_verify_hash_column is not set, we are not using password_verify()
+        if (!array_key_exists('password_verify_hash_column', $queryConfig)) {
+            Logger::error(sprintf(
+                'sqlauth:%s: authenticatePasswordVerifyHash() called but configuration for ' .
+                '"password_verify_hash_column" not found in query config for query %s.',
+                $this->authId,
+                $queryname,
+            ));
+            throw new Error\Error('WRONGUSERPASS');
+        } elseif (count($data) < 1) {
+            // No rows returned, password_verify() cannot succeed
+            return false;
+        }
+
+        /* This is where we need to run password_verify() if we are using password_verify() to
+            * authenticate hashed passwords that are only stored in the database. */
+        $hashColumn = $queryConfig['password_verify_hash_column'];
+        if (!array_key_exists($hashColumn, $data[0])) {
+            Logger::error('sqlauth:' . $this->authId . ': Auth query ' . $queryname .
+                            ' did not return expected hash column \'' . $hashColumn . '\'');
+            throw new Error\Error('WRONGUSERPASS');
+        }
+
+        $validPasswordHashFound = false;
+        $passwordHash = null;
+        foreach ($data as $row) {
+            if ((!array_key_exists($hashColumn, $row)) || is_null($row[$hashColumn])) {
+                Logger::error(sprintf(
+                    'sqlauth:%s: column `%s` must be in every result tuple.',
+                    $this->authId,
+                    $hashColumn,
+                ));
+                throw new Error\Error('WRONGUSERPASS');
+            }
+            if (($passwordHash === null) && (strlen($row[$hashColumn]) > 0)) {
+                $passwordHash = $row[$hashColumn];
+                $validPasswordHashFound = true;
+            } elseif ($passwordHash != $row[$hashColumn]) {
+                Logger::error(sprintf(
+                    'sqlauth:%s: column %s must be THE SAME in every result tuple.',
+                    $this->authId,
+                    $hashColumn,
+                ));
+                throw new Error\Error('WRONGUSERPASS');
+            } elseif (strlen($row[$hashColumn]) === 0) {
+                Logger::error(sprintf(
+                    'sqlauth:%s: column `%s` must contain a valid password hash.',
+                    $this->authId,
+                    $hashColumn,
+                ));
+                throw new Error\Error('WRONGUSERPASS');
+            }
+        }
+
+        if ((!$validPasswordHashFound) || (!password_verify($password, $passwordHash))) {
+            Logger::error('sqlauth:' . $this->authId . ': Auth query ' . $queryname .
+                            ' password verification failed');
+            /* Authentication with verify_password() failed, however that only means that
+                * this auth query did not succeed. We should try the next auth query if any. */
+            return false;
+        }
+
+        Logger::debug('sqlauth:' . $this->authId . ': Auth query ' . $queryname .
+                        ' password verification using password_verify() succeeded');
+        return true;
+    }
+
+
     /**
      * Attempt to log in using the given username and password.
      *
@@ -449,60 +532,11 @@ protected function login(
             }
 
             // If we got any rows, the authentication succeeded. If not, try the next query.
-            if (count($data) > 0) {
-                /* This is where we need to run password_verify() if we are using password_verify() to
-                 * authenticate hashed passwords that are only stored in the database. */
-                if (array_key_exists('password_verify_hash_column', $queryConfig)) {
-                    $hashColumn = $queryConfig['password_verify_hash_column'];
-                    if (!array_key_exists($hashColumn, $data[0])) {
-                        Logger::error('sqlauth:' . $this->authId . ': Auth query ' . $queryname .
-                                     ' did not return expected hash column \'' . $hashColumn . '\'');
-                        throw new Error\Error('WRONGUSERPASS');
-                    }
-
-                    $validPasswordHashFound = false;
-                    $passwordHash = null;
-                    foreach ($data as $row) {
-                        if ((!array_key_exists($hashColumn, $row)) || is_null($row[$hashColumn])) {
-                            Logger::error(sprintf(
-                                'sqlauth:%s: column `%s` must be in every result tuple.',
-                                $this->authId,
-                                $hashColumn,
-                            ));
-                            throw new Error\Error('WRONGUSERPASS');
-                        }
-                        if (($passwordHash === null) && (strlen($row[$hashColumn]) > 0)) {
-                            $passwordHash = $row[$hashColumn];
-                            $validPasswordHashFound = true;
-                        } elseif ($passwordHash != $row[$hashColumn]) {
-                            Logger::error(sprintf(
-                                'sqlauth:%s: column %s must be THE SAME in every result tuple.',
-                                $this->authId,
-                                $hashColumn,
-                            ));
-                            throw new Error\Error('WRONGUSERPASS');
-                        } elseif (strlen($row[$hashColumn]) === 0) {
-                            Logger::error(sprintf(
-                                'sqlauth:%s: column `%s` must contain a valid password hash.',
-                                $this->authId,
-                                $hashColumn,
-                            ));
-                            throw new Error\Error('WRONGUSERPASS');
-                        }
-                    }
-
-                    if ((!$validPasswordHashFound) || (!password_verify($password, $passwordHash))) {
-                        Logger::error('sqlauth:' . $this->authId . ': Auth query ' . $queryname .
-                                     ' password verification failed');
-                        /* Authentication with verify_password() failed, however that only means that
-                         * this auth query did not succeed. We should try the next auth query if any. */
-                        continue;
-                    }
-
-                    Logger::debug('sqlauth:' . $this->authId . ': Auth query ' . $queryname .
-                                 ' password verification using password_verify() succeeded');
-                }
-
+            if (
+                (count($data) > 0) &&
+                ((array_key_exists('password_verify_hash_column', $queryConfig) === false) ||
+                    $this->authenticatePasswordVerifyHash($queryname, $queryConfig, $data, $password))
+            ) {
                 Logger::debug('sqlauth:' . $this->authId . ': Auth query ' . $queryname .
                              ' succeeded with ' . count($data) . ' rows');
                 $queryConfig['_winning_auth_query'] = true;