PasswordVerify: Difference between revisions

Revision as of 11:10, 6 September 2018

This template is no longer in use as it results in poor readability. This function verifies whether a password matches a password hash.

[[\|link=\|]]	Warning: It is strongly recommended to use the async version of the function (i.e. provide a callback function). Otherwise, you will experience short freezes due to the slow nature of the bcrypt algorithm

Syntax

bool passwordVerify ( string password, string hash [, table options, function callback ] )

Required Arguments

password: The password to check.
hash: A supported hash (see passwordHash). Note that only the prefix $2y$ is supported for type bcrypt (older prefixes can cause security issues).

Optional Arguments

options: advanced options
- insecureBcrypt: If set to true, you can use the $2a$ prefix for bcrypt hashes as well. It is strongly not recommended to use it though, because the underlying implementation has a bug that leads to such hashes being relatively easy to crack. This bug was fixed for $2y$.

callback: providing a callback will run this function asynchronously, the arguments to the callback are the same as the returned values below.

Returns

Returns true if the password matches the hash. Returns false if the password does not match, or if an unknown hash was passed. If a callback was provided, the aforementioned values are arguments to the callback, and this function will always return true.

Example

See passwordHash example.

@@ Line 5: / Line 5: @@
 This function verifies whether a password matches a password hash.
 }}
+{{Warning|It is strongly recommended to use the async version of the function (i.e. provide a callback function). Otherwise, you will experience short freezes due to the slow nature of the bcrypt algorithm}}
 ==Syntax==
 <syntaxhighlight lang="lua">
-bool passwordVerify ( string password, string hash[, function callback] )
+bool passwordVerify ( string password, string hash [, table options, function callback ] )
 </syntaxhighlight>
 ===Required Arguments===
 *'''password:''' The password to check.
-*'''hash:''' A supported hash (see [[passwordHash]])
+*'''hash:''' A supported hash (see [[passwordHash]]). <span style="color:red">Note that only the prefix ''$2y$'' is supported for type bcrypt (older prefixes can cause security issues).</span>
 ===Optional Arguments===
+{{New feature/item|3.0156|1.5.6||
+*'''options:''' advanced options
+**'''insecureBcrypt:''' If set to ''true'', you can use the ''$2a$'' prefix for bcrypt hashes as well. '''It is strongly not recommended to use it though, because the underlying implementation has a bug that leads to such hashes being relatively easy to crack.''' This bug was fixed for ''$2y$''.
+}}
 {{New feature/item|3.0154|1.5.4|11281|
 *'''callback:''' providing a callback will run this function asynchronously, the arguments to the callback are the same as the returned values below.
 }}
 ===Returns===
 Returns true if the password matches the hash. Returns false if the password does not match, or if an unknown hash was passed. If a callback was provided, the aforementioned values are arguments to the callback, and this function will always return ''true''.
 ==Example==
-{{Warning|If you will be using "Example 1" then you will have to save account data "hash_password" after server restart, otherwise this script will no longer work.}}
+See [[passwordHash]] example.
-This example makes use of passwordHash and passwordVerify in account creation and account login to boost up security.
-<section name="Example 1" class="server" show="true">
-<syntaxhighlight lang="lua">
--- lets add command handler that will handle the account creation
-addCommandHandler("accountCreate",function(source,cmd,username,password)
-	if (username and password) then
-		local hashedPassword = passwordHash(password,"bcrypt") -- create new hash for password
-		if (hashedPassword) then -- check if hash has been generated
-			local account = addAccount(username,hashedPassword)
-			if (account) then -- now lets add account with new hash what we got when we made it for password.
-				setAccountData(account,"hash_password",hashedPassword) -- store accounts password hash in order to verify it when it's needed.
-				outputChatBox("Account successfuly created! Now please login. Syntax </accountLogin [username] [password]>",source,20,160,20)
-			else
-				outputChatBox("Account already exists! Please try again with different username.",source,20,160,20)
-			end
-		else
-			outputChatBox("Securing your password failed! Please try again or contact an administrator.",source,160,20,20)
-		end
-	else
-		outputChatBox("Wrong parameters! Correct Syntax </accountCreate [username] [password]>",source,160,20,20)
-	end
-end);
--- lets add command handler that will handle the account login
-addCommandHandler("accountLogin",function(source,cmd,username,password)
-	if (username and password) then
-		local account = getAccount(username) -- get entered account
-		if (account) then -- check if entered account exists
-			local hashedPassword = getAccountData(account,"hash_password") -- lets get hashed password
-			if (passwordVerify(password,hashedPassword)) then -- check if hash and entered password matches
-				if logIn(source,account,hashedPassword) then -- now lets login player into account
-					outputChatBox("Login successfull. Welcome, "..getAccountName(account).."!",source,20,160,20)
-				end
-			else
-				outputChatBox("Password is incorrect!",source,160,20,20)
-			end
-		else
-			outputChatBox("Account doesn't exist! Please try again with different account.",source,160,20,20)
-		end
-	else
-		outputChatBox("Wrong parameters! Correct Syntax </accountCreate [username] [password]>",source,160,20,20)
-	end
-end);
-</syntaxhighlight>
-</section>
 ==See Also==
 {{Utility functions}}