Posts

Posted on

Migrate passwords from a legacy PHP application to Laravel

https://leopoletto.com/assets/images/migrate-legacy-passwords-to-laravel.png

Migrating a legacy PHP application to Laravel will probably require a custom hashing driver.

This happens because Laravel’s default hashing driver is bcrypt and has argon as another built-in option, while MD5, SHA-1, SHA-256, and SHA-512 were and still are widely used, especially when the application does not rely on a modern framework.

Considering that we already have a table storing the hashed passwords, we need to make Laravel use the correct hash algorithm to compare the users’ raw passwords when authenticating.

Create a custom hash drive on Laravel

It should implement the Illuminate\Contracts\Hashing\Hasher
interface and extend the Illuminate\Hashing\AbstractHasher class:

app/Hashing/Md5Hasher.php

namespace App\Hashing;

use Illuminate\Contracts\Hashing\Hasher;
use Illuminate\Hashing\AbstractHasher;

class Md5Hasher extends AbstractHasher implements Hasher
{
    public function make($value, array $options = []): string
    {
        return md5($value . config('hashing.md5.salt'));
    }

    public function check($value, $hashedValue, array $options = []): bool
    {
        return $this->make($value) === $hashedValue;
    }

    public function needsRehash($hashedValue, array $options = []): bool
    {
        return false;
    }
}

Register the new driver in your application

Register it in the boot method of the following class:

app/Providers/AuthServiceProvider.php

namespace App\Providers;

use App\Hashing\Md5Hasher;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\ServiceProvider;

class AuthServiceProvider extends ServiceProvider
{
    // ...

    public function boot(): void
    {
        // ...

        Hash::extend('md5', static function () {
            return new Md5Hasher();
        });
    }
}

Define the hashing SALT (Optional)

Your legacy application may use a SALT to concatenate before hashing the password. We can define it in the config and delegate its value to the .env file.
If your legacy application does not use SALT, you won’t need to add it to the .env file.

config/hashing.php

return [
    // ...

    'md5' => [
        'salt' => env('MD5_SALT'),
    ],
];

.env

MD5_SALT=my_salt

Update the passwords

To rehash the password, we can intercept the users’ attempts to login and check if the MD5 hashed password matches the one in the database.
We can do that by listening to the Illuminate\Auth\Events\Attempting::class event.

php artisan make:listener UpdateMd5Password

app/Providers/EventServiceProvider.php

class EventServiceProvider extends ServiceProvider
{
    //...

    protected $listen = [

        //...

        'Illuminate\Auth\Events\Attempting::class' => [
            'App\Listeners\UpdateMd5Password::class',
        ],
    ];

    //...
}

The following implementation checks if the credentials match the legacy algorithm (MD5) and update to the new one.
The authentication flow continues, and the user will be successfully authenticated using the default driver (bcrypt).

app/Listeners/UpdateSha1Password.php

namespace App\Listeners;

use App\Models\User;
use Illuminate\Support\Facades\Hash;

class UpdateMd5Password
{
    public function handle(object $event): void
    {
        $user = User::where('email', $event->credentials['email'])->first();

        $md5Password = Hash::driver('md5')->make($event->credentials['password']);

        if ($user && $user->getAuthPassword() === $md5Password) {
            $user->password = Hash::make($event->credentials['password']);
            $user->save();
        }
    }
}

In closing

You may have another hashing algorithm on your legacy PHP application. You can make the necessary changes to achieve the same behavior.

Join the discussion on Twitter.

Laravel News Links

Posted on

Laravel File Uploads: Save Filename in DB with Folder and URL?

https://laraveldaily.com/storage/423/Copy-of-Copy-of-ModelpreventLazyLoading();-(6).png

When uploading files with Laravel, how to store the filename in the DB? Should you store filename.png? Or, include the folder of avatars/filename.png? Or, the full path https://website.com/avatars/filename.png? Let me tell you my opinion.

This tutorial will have an avatar field on the register page and an avatar column in the users table. Let’s see how we can save it.

The easiest way is to store just the filename and create a separate storage disk.

config/filesystems.php:

return [
 
    // ...
 
    'disks' => [
 
        // ...
 
        'avatars' => [
            'driver' => 'local',
            'root' => storage_path('app/public/avatars'),
            'url' => env('APP_URL').'/storage/avatars',
            'visibility' => 'public',
            'throw' => false,
        ],
 
    ],
 
    // ...
 
];

Then, when storing the file we need to specify the new avatars disk.

app/Http/Controllers/Auth/RegisteredUserController.php:

class RegisteredUserController extends Controller
{
    // ...
 
    public function store(Request $request): RedirectResponse
    {
        $request->validate([
            'name' => ['required', 'string', 'max:255'],
            'email' => ['required', 'string', 'email', 'max:255', 'unique:'.User::class],
            'password' => ['required', 'confirmed', Rules\Password::defaults()],
            'avatar' => ['nullable', 'image'],
        ]);
 
        if ($request->hasFile('avatar')) { 
            $avatar = $request->file('avatar')->store(options: 'avatars');
        } 
 
        $user = User::create([
            'name' => $request->name,
            'email' => $request->email,
            'password' => Hash::make($request->password),
            'avatar' => $avatar ?? null, 
        ]);
 
        // ...
    }
}

This way, your full URL filename https://website.com/storage/avatars/filename.png consists of three things:

  • Domain: https://website.com is stored in your APP_URL in .env file: so it is flexibly different for your local and production servers
  • Folder: /storage/avatars is in the config('disks.avatars.url') which corresponds to the internal structure of /storage/app/public/avatars described in the same config file. Both also can be flexibly changed if needed.
  • Filename: filename.png is the only thing actually landing in the DB column

To get the URL for the image in the Blade file, we would use URL method on the Storage facade providing the disk.

<img src="" alt="" />

But what if, after some time, you would need to go from local disks to, let’s say, Amazon S3?

The only change you would need to make is to change the disk, and maybe instead of the url, use the temporaryUrl method to provide the expiration time for the link.

<img src="" alt="" />

Laravel News Links

Posted on

How A 120mm Tank Round Works

http://img.youtube.com/vi/gJz8cVUvYws/0.jpg

Here’s something informational for Sunday, Nicholas Moran explaining exactly how a modern 120mm (AKA 120×570mm NATO, the type used by the M1A2 Abrams and the German Leopard 2) APFSDS round works.

  • He has a dummy blue round to demonstrate the features. “All the projectiles are color coded. Explosive, for example, would be green with yellow lettering.” APFSDS rounds are black.
  • “The aft cap is the one piece which is left behind after a modern round is fired, and this takes up a lot less room than a traditional shell casing rattling around inside the tank once you fire it.”
  • A long primer rod runs up the middle for more even propellent burning.
  • “A modern tank does have a firing pin. It’s electrically fired, but it has a firing pin. It looks just like a firing pin you’d expect from a rifle, except it’s about yay long…Electricity goes through the firing pin, sets off the primer, which sets off the propellant, which gives you
    the big boom.”

  • There are even emergency hand crank firing systems with dynamos to use if the electrical system goes down.
  • “The rest of the shell casing is made of a form of cellulose, and it is burned up in the explosion. So the aft cap is sufficient to seal the breach instead of requiring the entire casing to expand as you you’d find on a traditional round.”
  • “The catch is that this is simply not as robust as a metal shell.” Which is why the loader has to inspect rounds for scratches or bulges to the water-resistant coating. That could cause the round to break apart or misfire. “This is a bad thing.”
  • Which is why tank crews practice misfire drills to ensure safe handling of rounds so they don’t spread loose propellant all over the tank’s interior.
  • “The kinetic energy penetrator is itself a dart… it’s got fins at the back to keep the pointy end forwards, and it is kept centered as it goes down the tube by these sabot petals.”
  • “Modern sabots seem to have settled on three of these petals per projectile. Once the projectile has left the muzzle, the air is caught by the petals and they are peeled away.”
  • The discarded petals are a danger. “This is why sabot rounds such as APFSDS or M-PT should not be fired over the heads of friendly infantry.”
  • “The dart goes that way, hits metal, and basically punches through, taking little bits of metal inside with them. This is called a spall. These little fragments metal are extremely unhealthy to anyone or anything inside the vehicle which it hits.”
  • “However, if the armor is too thin to produce spalling, you get what is known as over-penetration. So you make a dart-sized hole on one side of the vehicle, a dart-sized hole on the far side of the vehicle, and dart sized holes on anything in-between, and outside of brown pants for the crewmen, quite possibly nothing else.”
  • “If so you’re firing such a target, you’re probably better off using a shaped charge round such as HEAT.”
  • He then show off a dummy HEAT projector, which has a funky blunt circular head that “in effect clears the air as a wind shield for the decidedly non-aerodynamic flat bit. The main body of the round also performs something of a stabilizing function and thirdly provides adequate standoff or room for the penetrating jet to form.”
  • “Here is a metal cone surrounded by explosives. The explosives detonate, the cone collapses the liner.”
  • Text popped up on screen at 9 minutes in notes that the penetrating jet is not high temperature plasma.

    • Here’s another video that provides a visualized simulation of how APFSDS rounds work.

    Lawrence Person’s BattleSwarm Blog