🚀 Feature: Re-hash Password on Phone Update

[stnguyen90]

🔖 Feature description

Users can be imported with a different password hash, but they should be re-hashed to the default algorithm. This is done for the update email API call:

appwrite/app/controllers/api/account.php

Line 1564 in 514b42b

->setAttribute('password', $isAnonymousUser ? Auth::passwordHash($password, Auth::DEFAULT_ALGO, Auth::DEFAULT_ALGO_OPTIONS) : $user->getAttribute('password', ''))

but not for the update phone API call.

🎤 Pitch

Update the update phone API call to make sure it's consistent with update email.

👀 Have you spent some time to check if this issue has been raised before?

• I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

• I have read the Code of Conduct

[harshmange44]

@stnguyen90 I'd like to contribute to this feature.

[stnguyen90]

@harshmange44 assigned! thanks for your interest! 🙏🏼

[harsh020]

@stnguyen90, I would also be interested in working on this.

If I understand this correctly, you want the updatePhone api to re-hash the password if the user is anonymous. Am I right?

[stnguyen90]

@stnguyen90, I would also be interested in working on this.

@harsh020, thanks! 🙏🏼 However, this has already been assigned to @harshmange44 and it's enough to have 1 person working on this.

If I understand this correctly, you want the updatePhone api to re-hash the password if the user is anonymous. Am I right?

Yes, the logic should be the same as the updateEmail API.

[harshmange44]

@stnguyen90 I've raised a PR: ##5003

[abhishek818]

@stnguyen90 @Meldiron can i pick up this issue , have a MR --> #5269

[stnguyen90]

Sorry, looks like we're going to change the behavior a bit.

1. We don't want to update the password for users without a password
2. We don't want to verify the password if the user doesn't have a password