php - cakephp upgrade from 1.3 to 2 authentication failure

Question

I've actually figured this out but I couldn't find anything about this until brainstorming with another developer - tracing through the core code to figure out what was going on.

The problem is quite simple - after upgrading from CakePHP v1.3 to v2.5.9 the login (authentication) doesn't work. But there is no error message to tell you why it's not working.

As is noted in the 2.0 Migration Guide:

The AuthComponent was entirely re-factored for 2.0, this was done to help reduce developer confusion and frustration. In addition, AuthComponent was made more flexible and extensible. You can find out more in the Authentication guide.

The Authentication guide mentioned explains all well and good how you should get it to work for a new installation but nothing about what you need to do to migrate.

The further problem is that there is no error to tell you what is going on.

I copied the code for the UsersController.php -> login method from the Authentication guide section on Identifying users:

public function login() {
    if ($this->request->is('post')) {
        // Important: Use login() without arguments! See warning below.
        if ($this->Auth->login()) {
            return $this->redirect($this->Auth->redirectUrl());
            // Prior to 2.3 use
            // `return $this->redirect($this->Auth->redirect());`
        }
        $this->Session->setFlash(
            __('Username or password is incorrect'),
            'default',
            array(),
            'auth'
        );
    }
}

In my AppController.php I had the following:

public $components = array(
    'Session', 'P28n', 'Store', 'SiteStore', 'UserAccessLevel', 'Auth'
);

Then in AppController.php -> beforeFilter:

$this->Auth->authorize = array('Controller');
$this->Auth->loginError = __('Login failed, invalid username or password. Please try again.');
$this->Auth->authError = __('Please log-in.');
$this->Auth->allow('login', 'logout');

The only thing for sure that I knew is that $this->Auth->login() is returning false. But the problem could be anything.

Answer 1

The problem was hashing of passwords. Easy once you know the answer.

I'd got as far as adding in the Simple password hashing component suggested in the Authentication guide:

public $components = array(
    'Auth' => array(
        'authenticate' => array(
            'Form' => array(
                'passwordHasher' => array(
                    'className' => 'Simple',
                    'hashType' => 'sha256'
                )
            )
        )
    )
);

But this still failed, but I couldn't confirm that password hashing was definitely the cause. It took tracing the code through to BaseAuthenticate::_findUser that was definitely failing on the passwords to confirm it.

At this point I then made a stab that the hashing of the passwords from CakePHP could be made to match the Simple passwordHasher.

The passwords in CakePHP 1.3 are saved using sha1, and switching 'hashType' => 'sha1' fixed the problem:

public $components = array(
    'Auth' => array(
        'authenticate' => array(
            'Form' => array(
                'passwordHasher' => array(
                    'className' => 'Simple',
                    'hashType' => 'sha1'
                )
            )
        )
    )
);