From a27389889febe1acf849ac85a3373cd31cf9a363 Mon Sep 17 00:00:00 2001
From: Thomas Fini Hansen <xen@xen.dk>
Date: Wed, 25 Sep 2024 13:24:56 +0200
Subject: [PATCH] Handle PHPs BCrypt hashes version

---
 CHANGELOG.md                                |  3 +++
 src/controllers/legacy_entity_controller.cr | 14 +++++++++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f4c5c88..dff7c1f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,9 @@ and this project adheres to [Intended Effort Versioning](https://jacobtomlinson.
 
 ## 1.3.2 - [Unreleased]
 
+### Fixed
+- Handle PHPs old BCrypt version.
+
 ### Changed
 - Invalid token creds results in 403 response, not an anonymous
   response.
diff --git a/src/controllers/legacy_entity_controller.cr b/src/controllers/legacy_entity_controller.cr
index ed60b89..2a38526 100644
--- a/src/controllers/legacy_entity_controller.cr
+++ b/src/controllers/legacy_entity_controller.cr
@@ -7,9 +7,21 @@ class LegacyEntityController < Amber::Controller::Base
   def index
     token_user = nil : User?
     if params[:token]?
-      token = params[:token].split("|")
+      # Timelord uses a version of bcrypt hash that's basically only
+      # used by PHP, so we "fix" it to the version Crystal BCrypt
+      # uses. This is hackery stuff, but using password hashes in auth
+      # was a bad move to start with, so we'll hack in compatibility
+      # until we get it fixed proper.
+      token = params[:token].gsub(/^\$2y\$/, "$2a$").split("|")
       if token.size == 2
         token_user = User.find_by(hashed_password: token[0], email: token[1])
+
+        unless token_user
+          # If we couldn't find a user by Crystal BCrypt hash, try
+          # again with PHP version, we have some migrated users with
+          # the old PHP version.
+          token_user = User.find_by(hashed_password: token[0].gsub(/^\$2a\$/, "$2y$"), email: token[1])
+        end
       end
 
       unless token_user