I recently had to deal with migrating legacy systems to a Laravel 5.4 app, as you might have guessed, the legacy app was using sha1 and not bcrypt.
Here is how I managed to silently update sha1 passwords to the more secure bcrypt version:
<?php
namespace App\Listeners;
use Illuminate\Auth\Events\Attempting;
use Illuminate\Queue\InteractsWithQueue;
use Illuminate\Contracts\Queue\ShouldQueue;
use App\User;
use Hash;
class CheckOldHashedPassword
{
/**
* Create the event listener.
*
* @return void
*/
public function __construct()
{
//
}
/**
* Handle the event.
*
* @param Login $event
* @return void
*/
public function handle(Attempting $event)
{
$user = User::where('email', $event->credentials['username'])->first();
if (!empty($user) && $user->password === sha1($event->credentials['password'])) {
// update password
$user->password = Hash::make($event->credentials['password']);
$user->save();
}
}
}
Just created the above file in app\Listeners
.
Depending on the name of your login field, you might need to change the array key being used in $event->credentials
, possibly username
or email
.
If you are using md5 or something else, then you can easily add in the checks that you need.