Laravel 4 Auth::attempt returns false on correct values

Question

I have login code that is supposed to work by attempting to authenticate the user using Laravel's Auth::attempt() method. This code works on another site of mine, I have altered it as instead of the Password in the database, it is stored as passwdEncrypted . I cannot change it as the database is in use by another application as well.

The code is below:

// check if in database
        $isInDb = User::where('ReferenceCode', $username)->first();
        if($isInDb) {
            // is in database
            // check if password is encrypted yet
            if($isInDb->passwdEncrypted) {
                // password is encrypted
                if(Auth::attempt(array('ReferenceCode' => $username, 'passwdEncrypted' => $password))) {
                    // authenticated
                    $array = array();
                    $array['verified'] = 'true';
                    $array['type'] = Auth::user()->UserType;
                    return Response::json($array);
                } else {
                    // not authenticated
                    $array = array();
                    $array['verified'] = 'false';
                    $array['type'] = $type;
                    return Response::json($array);
                }
            } else {
                // password is not encrypted
                // check if plain text password is correct
                if($isInDb->Password == $password) {
                    // plain text password is correct
                    $hashed = Hash::make($password);
                    $arr = array('passwdEncrypted' => $hashed);
                    $updated = User::where('rsmsOnlineUserID', $isInDb->rsmsOnlineUserID)->update($arr);
                    if($updated) {
                        $newUser = User::find($isInDb->rsmsOnlineUserID);
                        echo $newUser->passwdEncrypted;
                        if(Auth::attempt(array('ReferenceCode' => $username, 'passwdEncrypted' => $password))) {
                            echo 'logged in';
                        } else {
                            dd(DB::getQueryLog());
                            echo 'could not log in';
                        }
                    } else {
                        echo 'did not update';
                    }
                } else {
                    // plain text password is incorrect
                    $array = array();
                    $array['verified'] = 'false';
                    $array['type'] = $type;
                    return Response::json($array);
                }
            }
        } else {
            // not in database
            return Respone::json(array('success' => 'false'));
        }

What is happening: I can't log in, the username and password in the database is 1234 , even if I hard code that, it does not work.

It first checks to see if the user is in the database, if it is, it checks to see if there is an encrypted password, if there is not, it will create one from the password given if it matches the plain text password in the database and then log the user in (I have no choice but to have the plain text password stored in the database, that is how they want it).

But it returns the {"verified":"false","type":"prospective_employee"} from the not authenticated part of the code. So neither of the Auth::attempt() blocks work.

I was logging them in manually but even Auth::login() won't work.

I have the following in my User model (with the main database table):

public function getAuthPassword()
{
    return $this->Password;
}

/**
 * Get the token value for the "remember me" session.
 *
 * @return string
 */
public function getRememberToken() {
    return $this->remember_token;
}


public function setRememberToken($value) {
    $this->remember_token = $value;
}


public function getRememberTokenName() {
    return 'remember_token';
}

/**
 * Get the e-mail address where password reminders are sent.
 *
 * @return string
 */
public function getReminderEmail()
{
    return $this->email;
}

Please note that there is a field in the table called Password , but that is the plain text password, I need to authenticate against the passwdEncrypted field.

Answer 1

You cannot do this with Laravel, and for good reason, but it is ridiciously unsecure and dangerous.

I have no choice but to have the plain text password stored in the database, that is how they want it

I dont understand - why are you storing BOTH an "unencrypted" and "encrypted" password? There is no point. You should only ever store encrypted passwords. There is no need for any other way, and you need to educate the people as to why.

This code works on another site of mine, I have altered it as instead of the Password in the database, it is stored as passwdEncrypted. I cannot change it as the database is in use by another application as well.

The Laravel Auth code is hard coded to use the "password" column. You cannot simply change it to another colum. That is why your code is failing.

Since you are not using the password column, and since you are not using encrypted passwords, you might as well just create your own unsecure login system, customised to suit your requirements.