Added password_needs_rehash logic

2 files changed, 14 insertions, 3 deletions

diff --git a/classes/constants.php b/classes/constants.php
index 77f47b0..e5630de 100644
--- a/classes/constants.php
+++ b/classes/constants.php
@@ -69,7 +69,11 @@ class constants {
 	/** @const fa_valuta see http://fontawesome.io/icons/#currency; the fa- postfix for valuta */
 	const fa_valuta                     = 'eur';
 
-	/** @const password_cost for the password_hash function. Run install?password_cost to benchmark your system */
+	/**
+	 * @const password_algo             Algorithm for the password_hash function.
+	 * @const password_cost             Cost for the password_hash function. Run install?password_cost to benchmark your system
+	 */
+	const password_algo                 = PASSWORD_DEFAULT;
 	const password_cost                 = 10;
 
 	/** @const version                  Version of BusinessAdmin. Don't change this yourself! */
diff --git a/classes/user.php b/classes/user.php
index 261fa3d..e50f773 100644
--- a/classes/user.php
+++ b/classes/user.php
@@ -44,7 +44,7 @@ class user {
 	public static function hash($password, $cost=null) {
 		return password_hash(
 			$password,
-			PASSWORD_DEFAULT,
+			constants::password_algo,
 			['cost' => is_null($cost) ? constants::password_cost : $cost]
 		);
 	}
@@ -148,7 +148,14 @@ class user {
 	 * @return bool                     True iff the password can be accepted
 	 */
 	public function verifyPassword($password) {
-		return password_verify($password, $this->password);
+		if (!password_verify($password, $this->password)) {
+			return false;
+		}
+		if (password_needs_rehash($this->password, constants::password_algo,
+				['cost' => constants::password_cost])) {
+			$this->setPassword($password);
+		}
+		return true;
 	}
 
 	/**