Changeset 60125 for branches/6.8/tests/phpunit/tests/auth.php

Timestamp:

04/03/2025 02:36:46 PM (3 months ago)

Author:

johnbillion

Message:

Application Passwords: Correct the fallback behaviour for application passwords that don't use a generic hash.

Application passwords that aren't hashed using BLAKE2b should be checked using wp_check_password() rather than assuming they were hashed with phpass. This provides full back compat support for application passwords that were created via an overridden wp_hash_password() function that uses an alternative hashing algorithm.

Reviewed by audrasjb.
Merges [60123] into the 6.8 branch.

Props snicco, debarghyabanerjee, peterwilsoncc, jorbin, johnbillion.

Fixes #63203

Location:

branches/6.8

Files:

• . (modified) (1 prop)
• tests/phpunit/tests/auth.php (modified) (5 diffs)

branches/6.8/tests/phpunit/tests/auth.php

@@ -1136 +1136 @@
 
     /**
+     * @ticket 21022
+     * @ticket 63203
+     */
+    public function test_plain_bcrypt_application_password_is_accepted() {
+        add_filter( 'application_password_is_api_request', '__return_true' );
+        add_filter( 'wp_is_application_passwords_available', '__return_true' );
+
+        $password = 'password';
+
+        // Set an application password with plain bcrypt, which mimics a password that was hashed with
+        // a custom `wp_hash_password()` in use.
+        $uuid = self::set_application_password_with_plain_bcrypt( $password, self::$user_id );
+
+        // Authenticate.
+        $user = wp_authenticate_application_password( null, self::USER_LOGIN, $password );
+
+        // Verify that the plain bcrypt hash for the application password was valid.
+        $this->assertNotWPError( $user );
+        $this->assertInstanceOf( 'WP_User', $user );
+        $this->assertSame( self::$user_id, $user->ID );
+    }
+
+    /**
      * @dataProvider data_usernames
      *
@@ -1590 +1613 @@
         );
         $this->assertSame( $item['uuid'], rest_get_authenticated_app_password() );
+    }
+
+    /**
+     * @ticket 21022
+     * @ticket 63203
+     *
+     * @covers WP_Application_Passwords::create_new_application_password
+     */
+    public function test_application_password_is_hashed_with_fast_hash() {
+        // Create a new app-only password.
+        list( , $item ) = WP_Application_Passwords::create_new_application_password( self::$user_id, array( 'name' => 'phpunit' ) );
+
+        $this->assertStringStartsWith( '$generic$', $item['password'] );
     }
 
@@ -1967 +2003 @@
      * Test the tests
      *
+     * @covers Tests_Auth::set_application_password_with_plain_bcrypt
+     *
+     * @ticket 21022
+     * @ticket 63203
+     */
+    public function test_set_application_password_with_plain_bcrypt() {
+        // Set an application password with the plain_bcrypt algorithm.
+        $uuid = self::set_application_password_with_plain_bcrypt( 'password', self::$user_id );
+
+        // Ensure the password is hashed with plain_bcrypt.
+        $hash = WP_Application_Passwords::get_user_application_password( self::$user_id, $uuid )['password'];
+        $this->assertStringStartsWith( '$2y$', $hash );
+    }
+
+    /**
+     * Creates an application password that is hashed using bcrypt instead of the generic algorithm.
+     *
+     * This is ultimately used to mimic a plugged version of `wp_hash_password()` that uses bcrypt and
+     * facilitate backwards compatibility testing.
+     *
+     * @param string $password The password to hash.
+     * @param int    $user_id  The user ID to associate the password with.
+     * @return string The UUID of the application password.
+     */
+    private static function set_application_password_with_plain_bcrypt( string $password, int $user_id ) {
+        return self::set_application_password( password_hash( $password, PASSWORD_BCRYPT ), $user_id );
+    }
+
+    /**
+     * Test the tests
+     *
      * @covers Tests_Auth::set_application_password_with_phpass
      *
@@ -1980 +2047 @@
     }
 
+    /**
+     * Creates an application password that is hashed using a phpass portable hash instead of the generic algorithm.
+     *
+     * This facilitate backwards compatibility testing.
+     *
+     * @param string $password The password to hash.
+     * @param int    $user_id  The user ID to associate the password with.
+     * @return string The UUID of the application password.
+     */
     private static function set_application_password_with_phpass( string $password, int $user_id ) {
+        return self::set_application_password( self::$wp_hasher->HashPassword( $password ), $user_id );
+    }
+
+    /**
+     * Creates an application password using the given password hash.
+     *
+     * @param string $hash    The password hash.
+     * @param int    $user_id The user ID to associate the password with.
+     * @return string The UUID of the application password.
+     */
+    private static function set_application_password( string $hash, int $user_id ) {
         $uuid = wp_generate_uuid4();
         $item = array(
@@ -1986 +2073 @@
             'app_id'    => '',
             'name'      => 'Test',
-            'password'  => self::$wp_hasher->HashPassword( $password ),
+            'password'  => $hash,
             'created'   => time(),
             'last_used' => null,