Use original password to generate new password hash.

src/ZfcUser/Authentication/Adapter/Db.php

@@ -55,14 +55,13 @@ public function authenticate(AuthenticationEvent $event)
         if ($this->isSatisfied()) {
             $storage = $this->getStorage()->read();
             $event->setIdentity($storage['identity'])
-                  ->setCode(AuthenticationResult::SUCCESS)
-                  ->setMessages(array('Authentication successful.'));
+                ->setCode(AuthenticationResult::SUCCESS)
+                ->setMessages(array('Authentication successful.'));
             return;
         }
 
         $identity   = $event->getRequest()->getPost()->get('identity');
         $credential = $event->getRequest()->getPost()->get('credential');
-        $credential = $this->preProcessCredential($credential);
         $userObject = null;
 
         // Cycle through the configured identity sources and test each
@@ -81,7 +80,7 @@ public function authenticate(AuthenticationEvent $event)
 
         if (!$userObject) {
             $event->setCode(AuthenticationResult::FAILURE_IDENTITY_NOT_FOUND)
-                  ->setMessages(array('A record with the supplied identity could not be found.'));
+                ->setMessages(array('A record with the supplied identity could not be found.'));
             $this->setSatisfied(false);
             return false;
         }
@@ -90,17 +89,18 @@ public function authenticate(AuthenticationEvent $event)
             // Don't allow user to login if state is not in allowed list
             if (!in_array($userObject->getState(), $this->getOptions()->getAllowedLoginStates())) {
                 $event->setCode(AuthenticationResult::FAILURE_UNCATEGORIZED)
-                      ->setMessages(array('A record with the supplied identity is not active.'));
+                    ->setMessages(array('A record with the supplied identity is not active.'));
                 $this->setSatisfied(false);
                 return false;
             }
         }
 
+        $preprocessedCredential = $this->preProcessCredential($credential);
         $cryptoService = $this->getHydrator()->getCryptoService();
-        if (!$cryptoService->verify($credential, $userObject->getPassword())) {
+        if (!$cryptoService->verify($preprocessedCredential, $userObject->getPassword())) {
             // Password does not match
             $event->setCode(AuthenticationResult::FAILURE_CREDENTIAL_INVALID)
-                  ->setMessages(array('Supplied credential is invalid.'));
+                ->setMessages(array('Supplied credential is invalid.'));
             $this->setSatisfied(false);
             return false;
         } elseif ($cryptoService instanceof Bcrypt) {
@@ -119,7 +119,7 @@ public function authenticate(AuthenticationEvent $event)
         $storage['identity'] = $event->getIdentity();
         $this->getStorage()->write($storage);
         $event->setCode(AuthenticationResult::SUCCESS)
-              ->setMessages(array('Authentication successful.'));
+            ->setMessages(array('Authentication successful.'));
     }
 
     protected function updateUserPasswordHash(UserEntity $user, $password, Bcrypt $bcrypt)

tests/ZfcUserTest/Authentication/Adapter/DbTest.php

@@ -4,6 +4,7 @@
 
 use PHPUnit_Framework_MockObject_MockObject as MockObject;
 use PHPUnit_Framework_TestCase as TestCase;
+use Zend\Crypt\Password\Bcrypt;
 use ZfcUser\Authentication\Adapter\Db;
 
 class DbTest extends TestCase
@@ -392,6 +393,60 @@ public function testUpdateUserPasswordHashWithoutSameCost()
         $method->invoke($this->db, $this->user, 'ZfcUserNew', $this->bcrypt);
     }
 
+    /**
+     * @covers ZfcUser\Authentication\Adapter\Db::Authenticate
+     */
+    public function testUpdatePasswordUsesUnprocessedCredential()
+    {
+        $this->setAuthenticationCredentials('zfc-user@zf-commons.io');
+        $this->setAuthenticationEmail();
+
+        $this->options->expects($this->once())
+            ->method('getEnableUserState')
+            ->will($this->returnValue(false));
+
+        $this->bcrypt->expects($this->once())
+            ->method('verify')
+            ->will($this->returnValue(true));
+        $this->bcrypt->expects($this->any())
+            ->method('getCost')
+            ->will($this->returnValue(static::PASSWORD_COST_10));
+
+        $this->user->expects($this->exactly(2))
+            ->method('getPassword')
+            ->will($this->returnValue('$2a$04$5kq1mnYWbww8X.rIj7eOVOHXtvGw/peefjIcm0lDGxRTEjm9LnOae'));
+        $this->user->expects($this->once())
+            ->method('getId')
+            ->will($this->returnValue(1));
+
+        $this->storage->expects($this->any())
+            ->method('getNameSpace')
+            ->will($this->returnValue('test'));
+
+        $this->authEvent->expects($this->once())
+            ->method('setIdentity')
+            ->with(1)
+            ->will($this->returnValue($this->authEvent));
+        $this->authEvent->expects($this->once())
+            ->method('setCode')
+            ->with(\Zend\Authentication\Result::SUCCESS)
+            ->will($this->returnValue($this->authEvent));
+        $this->authEvent->expects($this->once())
+            ->method('setMessages')
+            ->with(array('Authentication successful.'))
+            ->will($this->returnValue($this->authEvent));
+
+        $this->db->setCredentialPreprocessor(function() {
+            return 'should-not-be-used';
+        });
+        $this->hydrator->expects($this->once())
+            ->method('hydrate')
+            ->with(['password' => 'ZfcUserPassword'], $this->user)
+            ->will($this->returnValue($this->user));
+
+        $this->db->authenticate($this->authEvent);
+    }
+
     /**
      * @covers ZfcUser\Authentication\Adapter\Db::getCredentialPreprocessor
      * @covers ZfcUser\Authentication\Adapter\Db::setCredentialPreprocessor