The laravel auth system uses bcrypt for saving passwords. Is it possible to do the same for the username (i.e. email)? I want to avoid that any customer email addresses are save plain text in the DB.
EDIT:
I don't need to know the user email for any other functionality. I only want the users to be able to login with their email address. I am just wondering if there is an easy way to do this with the integrated laravel auth system or if I need to write the whole auth logic myself
分享 The general flow for authenticating a user against a hashed password is:
password_verify
This relies on the username being stored in plain-text, since otherwise the second step cannot be performed. If you were to hash the username as well, the process would need to become:
password_verify
This is in theory a workable approach, but it is not at all scalable. Step 2 requires either fetching all users into memory, or paging through them, both of which will add significant overhead. Verifying hashed data is also (by design) an expensive operation, and if you have to perform it twice for every user in your database, every time anyone logs in, you'll quickly run into trouble.
I think one thing you might be missing is that password_hash generates a different hash each time, even for the same input string. This is what makes the second approach unworkable, since it prevents looking up a single user.
Additionally, as was mentioned in the comments, anything hashed using bcrypt is going to stay hashed. You might not need to actually send emails to the user, but you'll also lose the ability to display their username on the site, either in a user profile page or alongside any content/etc.
分享
