Custom PHP function to verify correct password in Joomla

Question

I created a script outside of Joomla that can successfully generate a Joomla password:

// I copied the JUserHelper class from Joomla here
$salt = JUserHelper::genRandomPassword(32);
$crypt = JUserHelper::getCryptedPassword($password, $salt);
$psw = $crypt.':'.$salt;

My question is, how can I compare this new crypt:salt I generate above to a password of an existing user in the Joomla database, and know if the password supplied to the script above is the correct password for that user in the database?

Answer 1

In joomla 3.4.5:

if (!class_exists("JFactory")) {
    define('_JEXEC', 1);
    define('JPATH_BASE', dirname(__FILE__)); // specify path to joomla base directory here
    define('DS', DIRECTORY_SEPARATOR);

    require_once ( JPATH_BASE . DS . 'includes' . DS . 'defines.php' );
    require_once ( JPATH_BASE . DS . 'includes' . DS . 'framework.php' );

    $mainframe = & JFactory::getApplication('site');
    $mainframe->initialise();
}

$user = JFactory::getUser(); // or: getUser($id) to get the user with ID $id
$passwordMatch = JUserHelper::verifyPassword($entered_password, $user->password, $user->id);

Answer 2

EDIT: I posted this before the previous reply showed.

You could always break apart the stored password from the salt as they're just separated by a ':' ?

---

If the page is outside of the Joomla framework you will need to include the framework which should be able to be accomplished with this ( reference - codeblock below). If you are inside of the Joomla framework, skip past this block. However, I didn't test the referenced codeblock:

define( '_JEXEC', 1 );

define( 'DS', DIRECTORY_SEPARATOR );
define('JPATH_BASE', dirname(__FILE__).DS."..".DS.".." );

require_once ( JPATH_BASE.DS.'includes'.DS.'defines.php' );
require_once ( JPATH_BASE.DS.'includes'.DS.'framework.php' );

$mainframe =& JFactory::getApplication('site');
$mainframe->initialise();

In the framework you will need to look up the user by ID or username:

$user  =& JFactory::getUser(username or id goes here);

Then if you have a match for $user you can simply do this access that user's password:

$user->password;

Then you can just compare with what your $psw

---

I believe that should help you on your way.

Are you looking to use this to log a user in with Joomla credentials to an external site or are you looking to log them in to a Joomla site?

Answer 3

One way would be to query the Joomla database directly to get a user's (salted and hashed) password, then compare. I think the below query should work for that, based on what I have seen from a few google searches. I have done this in Wordpress, so I'm assuming Joomla would be similar.

select 'password' from `jos_users` WHERE `username` = "Bob";

Answer 4

I am sorry to say that the above solution suggested is the worst

because JUserHelper::genRandomPassword(32) function is used to generate random passwords and it will be the different password each time when it is generated So different password will be saved in the db while registering with the user when compared to the one which will be generted at the time of checking which will obviously doesn't match in any ways

Answer 5

This is how Joomla 2.5 Validates a password

See the plugin file : \\plugins\\authentication\\joomla\\joomla.php

function onUserAuthenticate($credentials, $options, &$response)
    {
        $response->type = 'Joomla';
        // Joomla does not like blank passwords
        if (empty($credentials['password'])) {
            $response->status = JAuthentication::STATUS_FAILURE;
            $response->error_message = JText::_('JGLOBAL_AUTH_EMPTY_PASS_NOT_ALLOWED');
            return false;
        }

        // Initialise variables.
        $conditions = '';

        // Get a database object
        $db     = JFactory::getDbo();
        $query  = $db->getQuery(true);

        $query->select('id, password');
        $query->from('#__users');
        $query->where('username=' . $db->Quote($credentials['username']));

        $db->setQuery($query);
        $result = $db->loadObject();

        if ($result) {
            $parts  = explode(':', $result->password);
            $crypt  = $parts[0];
            $salt   = @$parts[1];
            $testcrypt = JUserHelper::getCryptedPassword($credentials['password'], $salt);

            if ($crypt == $testcrypt) {
                $user = JUser::getInstance($result->id); // Bring this in line with the rest of the system
                $response->email = $user->email;
                $response->fullname = $user->name;
                if (JFactory::getApplication()->isAdmin()) {
                    $response->language = $user->getParam('admin_language');
                }
                else {
                    $response->language = $user->getParam('language');
                }
                $response->status = JAuthentication::STATUS_SUCCESS;
                $response->error_message = '';
            } else {
                $response->status = JAuthentication::STATUS_FAILURE;
                $response->error_message = JText::_('JGLOBAL_AUTH_INVALID_PASS');
            }
        } else {
            $response->status = JAuthentication::STATUS_FAILURE;
            $response->error_message = JText::_('JGLOBAL_AUTH_NO_USER');
        }
    }