Update password on login

glye · glye · commit 7f82ac90225d · 2025-07-18T10:28:22.000+02:00
diff --git a/src/contracts/Repository/PasswordHashService.php b/src/contracts/Repository/PasswordHashService.php
@@ -56,4 +56,18 @@ public function updatePasswordHashTypeOnChange(): bool;
      * @return bool
      */
     public function updatePasswordHashTypeOnLogin(): bool;
+
+    /**
+     * Returns true if the password hash needs to be rehashed.
+     *
+     * This is used to determine if the password hash should be updated when the user logs in.
+     * It will return true if the hash type of the existing password hash does not match the provided hash type,
+     * or if the defaults for PHP's password hashing options have changed (e.g., cost factor).
+     *
+     * @param string $passwordHash The existing password hash
+     * @param int $hashType The hash type to check against
+     *
+     * @return bool
+     */
+    public function passwordNeedsRehash(string $passwordHash, int $hashType): bool;
 }
diff --git a/src/lib/Repository/User/PasswordHashService.php b/src/lib/Repository/User/PasswordHashService.php
@@ -118,4 +118,39 @@ public function updatePasswordHashTypeOnLogin(): bool
     {
         return $this->configResolver->getParameter('password_hash.update_type_on_login');
     }
+
+    public function passwordNeedsRehash(
+        #[\SensitiveParameter]
+        string $passwordHash,
+        int $hashType
+    ): bool
+    {
+        switch ($hashType) {
+            case User::PASSWORD_HASH_BCRYPT:
+                return password_needs_rehash($passwordHash, PASSWORD_BCRYPT);
+
+            case User::PASSWORD_HASH_PHP_DEFAULT:
+                return password_needs_rehash($passwordHash, PASSWORD_DEFAULT);
+
+            case User::PASSWORD_HASH_INVALID:
+                return false;
+
+            case User::PASSWORD_HASH_ARGON2I:
+                if (!defined('PASSWORD_ARGON2I')) {
+                    throw new PasswordHashTypeNotCompiled('PASSWORD_ARGON2I');
+                }
+
+                return password_needs_rehash($passwordHash, PASSWORD_ARGON2I);
+
+            case User::PASSWORD_HASH_ARGON2ID:
+                if (!defined('PASSWORD_ARGON2ID')) {
+                    throw new PasswordHashTypeNotCompiled('PASSWORD_ARGON2ID');
+                }
+
+                return password_needs_rehash($passwordHash, PASSWORD_ARGON2ID);
+
+            default:
+                throw new UnsupportedPasswordHashType($hashType);
+        }
+    }
 }
diff --git a/src/lib/Repository/UserService.php b/src/lib/Repository/UserService.php
@@ -1354,7 +1354,13 @@ protected function comparePasswordHashForSPIUser(
         #[\SensitiveParameter]
         string $password
     ): bool {
-        return $this->comparePasswordHashes($password, $user->passwordHash, $user->hashAlgorithm);
+        $isValidPassword = $this->comparePasswordHashes($password, $user->passwordHash, $user->hashAlgorithm);
+
+        if ($this->passwordHashService->updatePasswordHashTypeOnLogin()) {
+            $this->updatePasswordHashIfNeeded($password, $user->passwordHash, $user->id, $user->login, $user->email);
+        }
+
+        return $isValidPassword;
     }
 
     /**
@@ -1367,7 +1373,70 @@ protected function comparePasswordHashForAPIUser(
         #[\SensitiveParameter]
         string $password
     ): bool {
-        return $this->comparePasswordHashes($password, $user->passwordHash, $user->hashAlgorithm);
+        $isValidPassword = $this->comparePasswordHashes($password, $user->passwordHash, $user->hashAlgorithm);
+
+        if ($this->passwordHashService->updatePasswordHashTypeOnLogin()) {
+            $this->updatePasswordHashIfNeeded($password, $user->passwordHash, $user->id, $user->login, $user->email);
+        }
+
+        return $isValidPassword;
+    }
+
+    private function updatePasswordHashIfNeeded(
+        #[\SensitiveParameter]
+        string $password,
+        #[\SensitiveParameter]
+        string $passwordHash,
+        int $userId,
+        string $login,
+        string $email
+    ): void
+    {
+        $defaultPasswordHashAlgorithm = $this->passwordHashService->getDefaultHashType();
+        if (!$this->passwordHashService->passwordNeedsRehash($passwordHash, $defaultPasswordHashAlgorithm)) {
+            return;
+        }
+
+        try {
+            $newPasswordHash = $this->passwordHashService->createPasswordHash(
+                $password,
+                $defaultPasswordHashAlgorithm
+            );
+        } catch (Exception $e) {
+            if (isset($this->logger)) {
+                $this->logger->log(LogLevel::ERROR, $e->getMessage(), [
+                    'exception' => $e,
+                ]);
+            }
+
+            return;
+        }
+
+        $this->repository->beginTransaction();
+        try {
+            $this->userHandler->updatePassword(
+                new SPIUser(
+                    [
+                        'id' => $userId,
+                        'login' => $login,
+                        'email' => $email,
+                        'passwordHash' => $newPasswordHash,
+                        'hashAlgorithm' => $defaultPasswordHashAlgorithm,
+                        'passwordUpdatedAt' => time(),
+                    ]
+                )
+            );
+
+            $this->repository->commit();
+        } catch (Exception $e) {
+            $this->repository->rollback();
+
+            if (isset($this->logger)) {
+                $this->logger->log(LogLevel::ERROR, $e->getMessage(), [
+                    'exception' => $e,
+                ]);
+            }
+        }
     }
 
     /**
