Use Plain Password in laravel 5 Authentication instead of bcrypt

Question

i was using laravel bcrypt authentication in a back end application but client asked plain password authentication so that he can see the password of each user as administrator. My whole app logic is on laravel inbuilt authentication method an bcrypt hashing. how can i replace it to authenticate with plain password mach stored in database instead of storing hash ?

Answer 1

class AuthController extends Controller
{

    use AuthenticatesAndRegistersUsers, ThrottlesLogins;

    public function __construct()
    {
        $this->middleware('guest', ['except' => ['getLogout', 'getLogin']]);
    }

    public function postLogin()
    {
        $data = \Request::all();

        $rules = [
            'email' => 'required|email|max:255|exists:users',
            'password' => 'required|exists:users'
        ];

        $validator = \Validator::make($data, $rules);

        if ($validator->fails()) {
            //login data not exist in db
            return redirect('/login')->withErrors($validator)->withInput();
        } else {
            $email = Request::input('email');
            $pass = Request::input('password');
            //in my table users, status must be 1 to login into app
            $matchWhere = ['login' => $email, 'password' => $pass, 'status' => 1];

            $count = \App\User::where($matchWhere)->count();

            if ($count == 1) {
                $user = \App\User::where($matchWhere)->first();
                Auth::loginUsingId($user->id);   
                return redirect()->intended('/');
            } else {
                //not status active or password or email is wrong
                $validator->errors()->add('Unauthorized', 'Not accepted in community yet');
                return redirect('/login')->withErrors($validator)->withInput();
            }
        }
    }

    public function getLogin()
    {
        if (Auth::check()) {
            return redirect()->intended('/');
        } else {
            return view('auth.login');
        }
    }

    public function getLogout()
    {
        Auth::logout();
        return redirect()->intended('/login');
    }
}

Answer 2

Wow, these are all so complicated, it's as simple as.

if ($user = User::where('email', request()->email)->where('password', request()->password)->first()) {
    Auth::login($user);
    return redirect()->to('/');
}

Though I do agree that in a production environment you should not do this. But I can see for some applications if the users are aware the passwords are stored in plain text it may be ok.

Answer 3

If you are now using Laravel 5^, you can do that by searching for the class Illuminate/Auth/EloquentUserProvider and do some minor tweaks in there.

For e.g. find the public function retrieveByCredentials() and validateCredentials(). In the second function, you can see that the laravel is checking the hashed passwords to be fed into Auth::attempt() method. Just change it to plain checking and you are done.

 public function retrieveByCredentials(array $credentials)
{
    if (empty($credentials)) {
        return;
    }

    // First we will add each credential element to the query as a where clause.
    // Then we can execute the query and, if we found a user, return it in a
    // Eloquent User "model" that will be utilized by the Guard instances.

    $query = $this->createModel()->newQuery();

    foreach ($credentials as $key => $value) {
        if (! Str::contains($key, 'password')) {
            $query->where($key, $value);
        }
    }

    return $query->first();
}

/**
 * Validate a user against the given credentials.
 *
 * @param  \Illuminate\Contracts\Auth\Authenticatable  $user
 * @param  array  $credentials
 * @return bool
 */
public function validateCredentials(UserContract $user, array $credentials)
{
    $plain = $credentials['password'];

    return $this->hasher->check($plain, $user->getAuthPassword());
}

Change $this->hasher->check to normal check and you will be done. :)

Answer 4

Well, that really compromises your client's website security. Storing plain passwords in the DB is not recommended at all. If someone gained access to the database his/her site will be really vulnerable, anyone with a copy of the database would have easy access to all kind of accounts. I insist you should create a reset/change password functionality instead of storing plain passwords in the DB. Anyway, you could just get the plain password with

$password = Input::get('password');

And I guess you could authenticate users with

if (Auth::attempt(array('password' => $password)))
{
    return Redirect::route('home');
}

Answer 5

In laravel 4 you could have rewritten the HASH module . This stackoverflow thread explains how to use SHA1 instead of bycrypt [ check the accepted answer and comments ] .

You can make use of the method explained here and save your password without hashing .