Laravel 5.4 get user password on login

[Joveice]

Hi I'm still learning laravel and I'm not sure what I'm looking for at this moment.

 

I'm creating this "offline" password vault and I need to get the password in plaintext so I can use it to encrypt and decrypt the users app passwords.User passwords are still stored as hash in the database as I do not want to store the user password encrypted or in plaintext. I'm then taking the plaintext password that I got on login and saving it encrypted in the session where I can then grab it later when needed for encrypting and decrypting.

 

How can I do this? I'm using the default laravel auth.

 

Also if there are some better ways to do this please let me know, my idea is to store the users app passwords encrypted with their own password and not a global one.

[Severin]

Just to be sure I understand correctly,

 

You're creating an laravel app, call it XYZ. The user will have an account with a password for XYZ. The user will store other password in it, like password for Bank account, etc...

 

You want to use the XYZ account password in plaintext to encrypt the Bank account password?

[Joveice]

3 minutes ago, Severin said:

Just to be sure I understand correctly,

 

You're creating an laravel app, call it XYZ. The user will have an account with a password for XYZ. The user will store other password in it, like password for Bank account, etc...

 

You want to use the XYZ account password in plaintext to encrypt the Bank account password?

Yes, and the XYZ account password will be stored in the session encrypted each login and deleted on logout (I already know how to do that)

 

EDIT:

 

So all I need is how I can grab the password on login

[Severin]

I'm not an expert in web encryption, but why not use the hash version of the XYZ accout password to encrypt?

[Joveice]

Just now, Severin said:

I'm not an expert in web encryption, but why not use the hash version of the XYZ accout password to encrypt?

If the data gets compromised they got both the encrypted data and the key to decrypt it  if that was the case I would just encrypt the passwords instead of hashing so I could get it back when needed.

[Severin]

1 minute ago, Joveice said:

If the data gets compromised they got both the encrypted data and the key to decrypt it  if that was the case I would just encrypt the passwords instead of hashing so I could get it back when needed.

Oh yeah.... forgot about that posibility... Maybe you ask the user to enter a passphrase instead of using his password in plaintext. The passphrase would only be use for encrypting/decrypting. It could also act as another protection. If the XYZ password is leak, the hacker would not be able to decrypt all the password stored.

[Joveice]

1 minute ago, Severin said:

Oh yeah.... forgot about that posibility... Maybe you ask the user to enter a passphrase instead of using his password in plaintext. The passphrase would only be use for encrypting/decrypting. It could also act as another protection. If the XYZ password is leak, the hacker would not be able to decrypt all the password stored.

I could, but it will add another step I don't see the point of as of now.

[Severin]

Then if you really need the password in plaintext, you could add an hidden field in your login form and with javascript copy the value of the password in this hidden field. Then in your controller you set the session variable with this hidden field.

[Joveice]

3 minutes ago, Severin said:

Then if you really need the password in plaintext, you could add an hidden field in your login form and with javascript copy the value of the password in this hidden field. Then in your controller you set the session variable with this hidden field.

Yea that could work, but there must be a better way to do it?

[Severin]

Well I'm not sure how Laravel handle the password when the form is submitted, but it's probably hashed before send on the network... I'm assuming you're using the LoginController provided by Laravel, so maybe you could look at it and modify it. Maybe it receive the password in plaintext.

[Joveice]

2 minutes ago, Severin said:

Well I'm not sure how Laravel handle the password when the form is submitted, but it's probably hashed before send on the network... I'm assuming you're using the LoginController provided by Laravel, so maybe you could look at it and modify it. Maybe it receive the password in plaintext.

There are nothing there that I can change, as I do not know how it uses the auth I have no idea what I can add to be able to change it.

I have looked at creating my own auth using the laravel default auth so I can modify it there, but I havent found any good tutorials for that.

[Severin]

I'm pretty busy tonight, but tomorrow I will try to setup a small laravel app and will look how the auth work and maybe find a way!

[Joveice]

2 minutes ago, Severin said:

I'm pretty busy tonight, but tomorrow I will try to setup a small laravel app and will look how the auth work and maybe find a way!

If you did that it would be amazing! I'm probably gonna have to look into that myself too.

[Severin]

8 minutes ago, Joveice said:

If you did that it would be amazing! I'm probably gonna have to look into that myself too.

I will! I'm currently looking for a project to do at home and I have only worked 1 time with Laravel and I want to push a little more on the subject!

[Cruorzy]

So the idea is to have an account with a master password, once logged in you can see all the passwords for the services you have. Like google/facebook account etc.

 

The master password should br encryped with a one way encryption wich you already have.

 

And the other passwords should be able to be decrypted?

[Severin]

Sorry, I didn't had time to setup a project yesterday, but I might have a solution.

 

When you list the route of the Laravel app you should have the LoginController route. There should be one of type POST and the action should be login or something like that.

 

You could probably overide that action to store the password in the session like you want and then proceed with the regular authentication.

[Joveice]

On 13.7.2017 at 4:59 PM, Severin said:

Sorry, I didn't had time to setup a project yesterday, but I might have a solution.

 

When you list the route of the Laravel app you should have the LoginController route. There should be one of type POST and the action should be login or something like that.

 

You could probably overide that action to store the password in the session like you want and then proceed with the regular authentication.

	/**
     * Validate the user login request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return void
     */
    protected function validateLogin(Request $request)
    {
		/* $request->password will give me the password in plaintext */
        $this->validate($request, [
            $this->username() => 'required|string',
            'password' => 'required|string',
        ]);
    }

But I'm not sure if I'm gonna do this after all.

 

On 12.7.2017 at 7:13 PM, Cruorzy said:

So the idea is to have an account with a master password, once logged in you can see all the passwords for the services you have. Like google/facebook account etc.

 

The master password should br encryped with a one way encryption wich you already have.

 

And the other passwords should be able to be decrypted?

My idea is that the user logs in and his password gets used to encrypt and decrypt. but I'm gonna do it diffrently now I think.

 

[Cruorzy]

1 hour ago, Joveice said:

My idea is that the user logs in and his password gets used to encrypt and decrypt. but I'm gonna do it diffrently now I think.

 

Probably smart that you wanna do this an other way but just to solve this problem in theory.

Everytime you encrypt or decrypt a password it would be handy to prompt a password box again where he has to fill in his account password.

 

Then just throw an 

Auth::attempt

and if this return's true the password matches the one way encrypted user password.

 

Get the $request->password value and make some function to decrypt/encrypt a password.

 

So in steps.

1.Make new random password

2.Prompt user cred

3.Encrypt password with previously used password.

4.Save to database.

[Joveice]

42 minutes ago, Cruorzy said:

 

Probably smart that you wanna do this an other way but just to solve this problem in theory.

Everytime you encrypt or decrypt a password it would be handy to prompt a password box again where he has to fill in his account password.

 

Then just throw an 

Auth::attempt

and if this return's true the password matches the one way encrypted user password.

 

Get the $request->password value and make some function to decrypt/encrypt a password.

 

So in steps.

1.Make new random password

2.Prompt user cred

3.Encrypt password with previously used password.

4.Save to database.

Yea, but my current "how ever it works I have to have this" is that you only type in the password once and you get to decrypt, even after a page reload. So currently I'm looking at some client side encryption with creating a master key from the login. How this gonna work I have no clue yet. (Something like https://github.com/zeruniverse/Password-Manager have done)