supportOldDangerousPassword support removed

Author: omerimzali

src/Authentication/Authenticators/Session.php

@@ -343,30 +343,20 @@ public function check(array $credentials): Result
         /** @var Passwords $passwords */
         $passwords = service('passwords');
 
-        // This is only for supportOldDangerousPassword.
-        $needsRehash = false;
-
         // Now, try matching the passwords.
         if (! $passwords->verify($givenPassword, $user->password_hash)) {
-            if (
-                ! setting('Auth.supportOldDangerousPassword')
-                || ! $passwords->verifyDanger($givenPassword, $user->password_hash) // @phpstan-ignore-line
-            ) {
                 return new Result([
                     'success' => false,
                     'reason'  => lang('Auth.invalidPassword'),
                 ]);
-            }
-
-            // Passed with old dangerous password.
-            $needsRehash = true;
+            
         }
 
         // Check to see if the password needs to be rehashed.
         // This would be due to the hash algorithm or hash
         // cost changing since the last time that a user
         // logged in.
-        if ($passwords->needsRehash($user->password_hash) || $needsRehash) {
+        if ($passwords->needsRehash($user->password_hash)) {
             $user->password_hash = $passwords->hash($givenPassword);
             $this->provider->save($user);
         }

src/Authentication/Passwords.php

@@ -90,21 +90,6 @@ public function verify(string $password, string $hash): bool
         return password_verify($password, $hash);
     }
 
-    /**
-     * Verifies a password against a previously hashed password.
-     *
-     * @param string $password The password we're checking
-     * @param string $hash     The previously hashed password
-     *
-     * @deprecated This is only for backward compatibility.
-     */
-    public function verifyDanger(string $password, string $hash): bool
-    {
-        return password_verify(base64_encode(
-            hash('sha384', $password, true)
-        ), $hash);
-    }
-
     /**
      * Checks to see if a password should be rehashed.
      */

src/Config/Auth.php

@@ -374,16 +374,6 @@ class Auth extends BaseConfig
      */
     public int $hashCost = 12;
 
-    /**
-     * If you need to support passwords saved in versions prior to Shield v1.0.0-beta.4.
-     * set this to true.
-     *
-     * See https://github.com/codeigniter4/shield/security/advisories/GHSA-c5vj-f36q-p9vg
-     *
-     * @deprecated This is only for backward compatibility.
-     */
-    public bool $supportOldDangerousPassword = false;
-
     /**
      * ////////////////////////////////////////////////////////////////////
      * OTHER SETTINGS

tests/Authentication/Authenticators/SessionAuthenticatorTest.php

@@ -313,34 +313,6 @@ public function testCheckSuccess(): void
         $this->assertSame($this->user->id, $foundUser->id);
     }
 
-    public function testCheckSuccessOldDangerousPassword(): void
-    {
-        /** @var Auth $config */
-        $config                              = config('Auth');
-        $config->supportOldDangerousPassword = true; // @phpstan-ignore-line
-
-        fake(
-            UserIdentityModel::class,
-            [
-                'user_id' => $this->user->id,
-                'type'    => Session::ID_TYPE_EMAIL_PASSWORD,
-                'secret'  => '[email protected]',
-                'secret2' => '$2y$10$WswjNNcR24cJvsXvBc5TveVVVQ9/EYC0eq.Ad9e/2cVnmeSEYBOEm',
-            ]
-        );
-
-        $result = $this->auth->check([
-            'email'    => '[email protected]',
-            'password' => 'passw0rd!',
-        ]);
-
-        $this->assertInstanceOf(Result::class, $result);
-        $this->assertTrue($result->isOK());
-
-        $foundUser = $result->extraInfo();
-        $this->assertSame($this->user->id, $foundUser->id);
-    }
-
     public function testAttemptCannotFindUser(): void
     {
         $result = $this->auth->attempt([