New Password Security improvements

objects/functions.php

@@ -2718,7 +2718,20 @@ function encryptPasswordVerify($password, $hash, $encodedPass = false) {
         $passwordUnSalted = $password;
     }
     //_error_log("passwordSalted = $passwordSalted,  hash=$hash, passwordUnSalted=$passwordUnSalted");
-    return $passwordSalted === $hash || $passwordUnSalted === $hash || $password === $hash;
+    $isValid = $passwordSalted === $hash || $passwordUnSalted === $hash;
+    
+    if(!$isValid){
+        $passwordFromHash = User::getPasswordFromUserHash($password);
+        $isValid = $passwordFromHash === $hash;
+    }
+    
+    if(!$isValid){
+        if($password === $hash){
+            _error_log('encryptPasswordVerify: this is a deprecated password, this will stop to work soon '.json_encode(debug_backtrace()), AVideoLog::$SECURITY);
+            return true;
+        }
+    }
+    return $isValid;
 }
 
 function encryptPasswordV2($uniqueSalt, $password, $noSalt = false) {

objects/user.php

@@ -445,7 +445,8 @@ if (typeof gtag !== \"function\") {
 
     public static function getUserPass() { 
         if (self::isLogged()) {
-            return $_SESSION['user']['password'];
+            //return $_SESSION['user']['password'];
+            return $_SESSION['user']['passhash'];
         } else {
             return false;
         }
@@ -1239,6 +1240,7 @@ if (typeof gtag !== \"function\") {
                 }
             }
             $user = $result;
+            $user['passhash'] = self::getUserHash($user['id']);
         } else {
             _error_log("Password check new hash user not found");
             //check if is the old password style
@@ -1294,6 +1296,7 @@ if (typeof gtag !== \"function\") {
                 $result['password'] = $u->getPassword();
             }
             $user = $result;
+            $user['passhash'] = self::getUserHash($user['id']);
         } else {
             $user = false;
         }
@@ -1317,6 +1320,7 @@ if (typeof gtag !== \"function\") {
         sqlDAL::close($res);
         if ($res) {
             $user = $result;
+            $user['passhash'] = self::getUserHash($user['id']);
         } else {
             $user = false;
         }
@@ -1335,6 +1339,7 @@ if (typeof gtag !== \"function\") {
         sqlDAL::close($res);
         if ($res !== false) {
             $user = $result;
+            $user['passhash'] = self::getUserHash($user['id']);
         } else {
             $user = false;
         }
@@ -1352,11 +1357,50 @@ if (typeof gtag !== \"function\") {
         $user = sqlDAL::fetchAssoc($res);
         sqlDAL::close($res);
         if ($user !== false) {
+            $user['passhash'] = self::getUserHash($user['id']);
             return $user;
         }
         return false;
     }
     
+    private static function getUserHash($users_id, $valid='+7 days') {
+        $obj = new stdClass();
+        $obj->users_id = $users_id;
+        $obj->valid = strtotime($valid);
+        
+        return '_user_hash_'.encryptString($obj);
+    }
+    
+    static function getPasswordFromUserHash($hash) {
+        if(!preg_match('/^_user_hash_/', $hash)){
+            return false;
+        }
+        $string = str_replace('_user_hash_', '',$hash );
+        
+        $json = decryptString($string);
+        if(empty($json)){
+            return false;
+        }
+        
+        $obj = json_decode($json);
+        
+        if(empty($obj)){
+            return false;
+        }
+        
+        if($obj->valid < time()){
+            return false;
+        }
+        
+        if(empty($obj->users_id)){
+            return false;
+        }
+        
+        $user = self::getUserDb($obj->users_id);
+        
+        return $user['password'];
+    }
+
     private static function getUserDbFromUser($user) {
         global $global;
         if (empty($user)) {