I had a small task come to me recently wherein a site needed to allow for verification of ExpressionEngine credentials but couldn't use the normal controllers for access. The challenge was in how ExpressionEngine encrypts the passwords and replicating that behavior. Taking a look at the Login controllers made things very clear though; as usual ExpressionEngine was very well written.
Here's an example of how to do it (note that this will only work within the CP):
<?php
$user = 'test';
$pass = 'test';
$this->EE->db->select('members.password, members.unique_id, members.member_id, members.group_id, member_groups.can_access_cp');
$this->EE->db->where('username', $user);
$this->EE->db->where('member_groups.site_id', $this->EE->config->item('site_id'));
$this->EE->db->where('members.group_id = '.$this->EE->db->dbprefix('member_groups.group_id'));
$query = $this->EE->db->get(array('members', 'member_groups'));
if ($query->num_rows() != 0)
{
$password = do_hash($pass);
if ($query->row('password') == $password)
{
//good user credentials 😊
}
else
{
//bad password/good username
}
}
else
{
//bad username
}
?>
According to the site admin who passed this my way the above won't work outside the CP. He was kind enough to send along an example that worked fine for their situation:
<?php
$this->EE->load->library('auth');
$this->EE->lang->loadfile('login');
$authorized = $this->EE->auth->authenticate_username($this->EE->input->post('username'), $this->EE->input->post('password'));
if ( ! $authorized)
{
set_status_header(500);
exit(lang('unauthorized_request'));
}
?>