🛡️ Sentinel: [HIGH] Secure password storage using hashing
By AmmarBasha2011
Assigned to
🚨 Severity: HIGH 💡 Vulnerability: User passwords were stored in plaintext and verified using direct string comparison in SQL queries. 🎯 Impact: If the database is compromised, all user passwords would be exposed in plaintext, leading to account takeovers and potential credential stuffing attacks on other services. 🔧 Fix: - Implemented `password_hash()` with `PASSWORD_DEFAULT` in `UserAuth::signUp`. - Implemented `password_verify()` in `UserAuth::signIn`. - Updated `signIn` logic to retrieve the user by identifiers and then verify the password hash manually. - Updated user existence check in `signUp` to ignore the password field. ✅ Verification: - Created a new security test `tests/security/password_hashing_test.php` which confirms that passwords are not stored in plaintext and that authentication correctly verifies hashes and rejects incorrect passwords. - Ran the full framework test suite (`php tests/test_runner.php`) to ensure no regressions. --- *PR created automatically by Jules for task [3325990901926704448](https://ift.tt/42b7OYC) started by @AmmarBasha2011*
Labeled:
June 2, 2026 at 12:11AM
via GitHub https://ift.tt/LgTchm9
By AmmarBasha2011
Assigned to
🚨 Severity: HIGH 💡 Vulnerability: User passwords were stored in plaintext and verified using direct string comparison in SQL queries. 🎯 Impact: If the database is compromised, all user passwords would be exposed in plaintext, leading to account takeovers and potential credential stuffing attacks on other services. 🔧 Fix: - Implemented `password_hash()` with `PASSWORD_DEFAULT` in `UserAuth::signUp`. - Implemented `password_verify()` in `UserAuth::signIn`. - Updated `signIn` logic to retrieve the user by identifiers and then verify the password hash manually. - Updated user existence check in `signUp` to ignore the password field. ✅ Verification: - Created a new security test `tests/security/password_hashing_test.php` which confirms that passwords are not stored in plaintext and that authentication correctly verifies hashes and rejects incorrect passwords. - Ran the full framework test suite (`php tests/test_runner.php`) to ensure no regressions. --- *PR created automatically by Jules for task [3325990901926704448](https://ift.tt/42b7OYC) started by @AmmarBasha2011*
Labeled:
June 2, 2026 at 12:11AM
via GitHub https://ift.tt/LgTchm9