Custom password hasher cakephp 3.8 – Blancer.com Tutorials and projects

I’m throwing a message in a bottle for those who are fairly proficient with Cakephp 3.8. I admit I’m a little rusty after a few years of hiatus from development

I’ll explain my problem:
I have a basic module that allows user registration and login. So far, so good. My problem comes at the login stage, as I’m using a custom hash of the $password+$key type. The $key is automatically generated during registration and then stored in the users table with the other information.

I’d like to know if there is a way to retrieve this value without using manual checks in order to keep my code perfectly clean and functional.

Currently, I can enter any password, and $user returns true as long as the email address exists in the table.

src/Controller/Users/Usercontroller.php

public function register() {
     $userTable = TableRegistry::getTableLocator()->get('Users');
     $user = $this->Users->newEntity($this->request->getData(), ['validate' => 'UserStep1']);
     $user->type = $this->request->getSession()->read('account-type');
     $user->salt = sha1(md5($this->request->getSession()->read('salt')));
     $user->password = $hash->hash($this->request->getData('password'),$this->request->getSession()->read('salt'));

     if ($userTable->save($user)) {
     return true;
     }
}


public function login() {
        if($this->request->is('post')) {
            $user = $this->Auth->identify();
            if($user) {
                $this->Auth->setUser($user);
                $this->redirect($this->redirect($this->Auth->redirectUrl()));
                $this->Flash->response('Connecté', [
                    'key'   => 'response',
                    'params'    => [
                        'status'    => 'success'
                    ]
                ]);
            } else {
                $this->Flash->response('Identifiant ou mot de passe incorrect', [
                    'key'   => 'response',
                    'params'    => [
                        'status'    => 'error'
                    ]
                ]);
            }
        }
    }

src/Auth/CustomPasswordHasher.php

namespace Appauth;

use CakeAuthAbstractPasswordHasher;

class CustomPasswordHasher extends AbstractPasswordHasher {

    public function hash($password, $securestring = null) {
        $encode=  sha1(md5('stringmasked'). md5(sha1($password)).sha1(sha1(md5($securestring))));

        return $encode;
    }
    public function check($password, $salt)
    {
        $encode = sha1(md5('stringmasked').md5(sha1($password)).sha1(($salt)));

        return $encode;
    }
}

src/Controller/AppController.php

$this->loadComponent('Auth', [
            'authenticate'  => [
                'Form'  => [
                    'fields'    => ['username'  => 'email'],
                    'passwordHasher'    => ['className' => 'Custom']
                ]
            ]
        ]);
        $this->Auth->allow();

I admit that I’m a bit stuck on this problem, I don’t really know where the problem comes from

Thanks