public function login(string $username, HiddenString $password)
{
/**
* To prevent extreme stupidity, we escape our table and column names
* here. We shouldn't ever *need* to do this, but as long as developers
* are creative, they will find creative ways to make their apps
* insecure and we should anticipate them as much as we can.
*/
$table = $this->db->escapeIdentifier($this->tableConfig['table']['accounts']);
// Let's fetch the user data from the database
$user = $this->db->row('SELECT * FROM ' . $table . ' WHERE username = ?', $username);
if (empty($user)) {
/**
* User not found. Use the dummy password to mitigate user
* enumeration via timing side-channels.
*/
Password::verify($password->getString(), $this->dummyHash, $this->key);
// No matter what, return false here:
return false;
} else {
if (!empty($user['migration'])) {
$success = $this->migrateImportedHash($password, new HiddenString($user['password']), $user);
if ($success) {
return (int) $user['userid'];
}
}
if (Password::verify($password->getString(), $user['password'], $this->key)) {
return (int) $user['userid'];
}
}
return false;
}