Authentication (3.9) after updating user password (hardcoded value ), login fails

Hi, I’m implementing a web app that has 2 user roles: standard user and admins

I don’t want to use a form to add the admin user, because there will be just 1 admin and will always exist on the Users table.

I just want to be able to reset or update the password but without the need of a form.
Perhaps just by calling a shell command

So I tried updating the password field of the admin user with a hardcoded value
I wrote this test method

public function test(){
    $user = $this->Users->get(1);
    $user = $this->Users->patchEntity($user, [

After updating the password by calling test the password 1234 doesn’t work any more.
If I add the user using a Form like shown in the Cookbook it works great.

The user entity implements this method

     protected function _setPassword(string $password) {

         $hasher = new DefaultPasswordHasher();
         return $hasher->hash($password);


I tried to compare the hash generated with both methods but I realized that it relies on PHP password_hash command and for some reason is time dependent so hashing 1234 gives different results every time

What could be wrong?
Why using the same password in a textfield is not the same as hardcoding the password value on the controller code?

When you run your command line, does the value in the database change for this user? Does it change to “1234” or a hashed value? If hashed, does the resulting hash “look like” other hashes that work?

Hi, in the database the hashed value is stored.

Now I realized that even when the user is added through the “add user” form, it fails to login just after 60 seconds has passed from the SQL insert

I also noticed that the hash changes even the same password. I suspect that the Hasher is adding some time related string to the mix.

14:55 pm, password: “admin”
hash: $2y$10$YHWxF155XO2OmTnjumJGpOhRotie8TW231bDR2.hFjYKsCrfWK8Bi

15:00 pm, password: “admin”
hash: $2y$10$4bFBlPemNYPROIoGIHgReefjDSsEmhDYKr3t4U7SmUeNDsOeaK.E.

I think I found something. There is an issue with de URLs

2020-12-10 18:31:11 Error: Authentication\Authenticator\Result Object
[_status:protected] => FAILURE_OTHER
[_data:protected] =>
[_errors:protected] => Array
[0] => Login URL http://pdgsweb.lh/ did not match /users/login.


I solved the problem, the issue was the loginUrl that was missing a “/” at the end