[ShanaBoo] [ Laravel ] Fix User model password cast not applying bcrypt rounds from config#4419
Closed
genesisrevelationinc-debug wants to merge 6 commits into
Closed
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds explicit bcrypt “rounds” handling and coverage around password hashing behavior.
Changes:
- Added unit tests asserting password hashes use the configured bcrypt cost.
- Updated
UserFactoryto pass configured bcrypt rounds intoHash::make. - Added a
User::setPasswordAttributemutator to always hash passwords with configured rounds.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| laravel/tests/Unit/UserPasswordHashingTest.php | Adds unit tests for bcrypt rounds/cost behavior. |
| laravel/database/factories/UserFactory.php | Attempts to ensure factory-created users hash passwords with configured rounds. |
| laravel/app/Models/User.php | Introduces a password mutator that forces hashing with configured bcrypt rounds. |
Comments suppressed due to low confidence (1)
laravel/app/Models/User.php:1
- Adding
setPasswordAttribute()here conflicts with the existing'password' => 'hashed'cast and can cause double-hashing. For example, if code (or the factory) passes an already-hashed password into the model, this mutator will hash the hash again, breaking authentication. Prefer relying on the built-inhashedcast (it is designed to avoid re-hashing when appropriate), or make the mutator conditional (e.g., only hash when the incoming value is not already hashed). Additionally, forcing['rounds' => config('hashing.bcrypt.rounds')]bakes in bcrypt-specific options even if the app’s hashing driver is argon/argon2id.
<?php
Comment on lines
+17
to
+36
| $rounds = config('hashing.bcrypt.rounds'); | ||
| $password = 'secret'; | ||
| $hashedPassword = Hash::make($password, ['rounds' => $rounds]); | ||
|
|
||
| $this->assertEquals($rounds, 10); | ||
| $this->assertTrue(Hash::check($password, $hashedPassword)); | ||
| } | ||
|
|
||
| public function test_user_password_hashing_respects_config() | ||
| { | ||
| // This assumes there's a User model instance to test against | ||
| // We'll create a user and check if the password was hashed with the right cost | ||
| $user = User::factory()->make([ | ||
| 'password' => 'password' | ||
| ]); | ||
|
|
||
| $hash = $user->password; | ||
| $expectedRounds = config('hashing.bcrypt.rounds'); | ||
| $info = password_get_info($hash); | ||
|
|
Comment on lines
+33
to
+38
| $hash = $user->password; | ||
| $expectedRounds = config('hashing.bcrypt.rounds'); | ||
| $info = password_get_info($hash); | ||
|
|
||
| $this->assertArrayHasKey('cost', $info); | ||
| $this->assertEquals($expectedRounds, $info['cost']); |
Comment on lines
+40
to
+45
| public function setPasswordAttribute($value): void | ||
| { | ||
| $this->attributes['password'] = Hash::make($value, [ | ||
| 'rounds' => config('hashing.bcrypt.rounds') | ||
| ]); | ||
| } |
Comment on lines
29
to
35
| 'name' => fake()->name(), | ||
| 'email' => fake()->unique()->safeEmail(), | ||
| 'email_verified_at' => now(), | ||
| 'password' => static::$password ??= Hash::make('password'), | ||
| 'password' => static::$password ??= Hash::make('password', [ | ||
| 'rounds' => config('hashing.bcrypt.rounds') | ||
| ]), | ||
| 'remember_token' => Str::random(10), |
Comment on lines
+7
to
+13
| use Illuminate\Foundation\Testing\WithFaker; | ||
| use Tests\TestCase; | ||
| use Illuminate\Support\Facades\Hash; | ||
|
|
||
| class UserPasswordHashingTest extends TestCase | ||
| { | ||
| use RefreshDatabase, WithFaker; |
Contributor
|
Unfortunately the changes in this PR didn't fully resolve the issue. Please rework your solution and submit a new pull request. Make sure to review the acceptance criteria in the linked issue and verify all conditions are met before resubmitting. See CONTRIBUTING.md for guidelines. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
ShanaBoo Autonomous Fix
This PR was automatically generated by ShanaBoo Earn Engine to claim the $50.00 bounty on this issue.
Source: Github | Task: 4451685810
Closes #745
Auto-submitted by ShanaBoo CNS — NVIDIA NIM + Microsoft Agent Framework