Phalcon checkHash return true First times, then return false

I'm implementing a simple login with MICRO,

The problem is: the user register ok in the app, the user changes own password ok in the app, but, after few days users cannot login and they have to change their password agaain and agaaaain, and agaaaain. I check the DB field length and its length is 512, all the stored passwords are 60 Characters length, but when i use $security->checkHash over the passwords vs the stored hashed one ALWAYS is returning FALSE, Unless i hash it again, then returns True

        $data = $app->request->getJsonRawBody();
        $user = Users::findFirst([
            'conditions' => 'username=:username:',
            'bind' => [
                'username' => $data->username,
            ]
        ]);
        $input_password = $data->password;
        $db_password = $user->password;
        if($security->checkHash($data->password, $user->password))
        {
            $payload = [
                'id'   => $user->id,
                'email' => $user->email,
                'username' => $user->username,
                'role'  => $user->profile_id,
                'iat' => time(),
            ];

            $token = $this->auth->make($payload);
            echo json_encode(['_token' => $token]);
        }
        else
            echo json_encode(
                [
                    'message' => "Incorrect login data.",
                    'status' => 'error'
                ]
            );

The Registraton code:

         $data = $app->request->getJsonRawBody();
          try
          {
              $user = new Users();
              $security = new Security();

              $user->username = $data->username;
              $user->email = $data->email;
              $user->password = $security->hash($data->password);
              $user->osc = $data->osc;
              $user->cel_phone = $data->cel_phone;
              $user->phone = $data->phone;
              $user->area_id = $data->area_id;
              $user->clave_area = $data->clave_area;
              $user->profile_id = 2;
              $user->name = $data->name;

              if($user->save())
                  echo json_encode(
                      [
                          'message' => 'User created successfully',
                          'status' => 'success'
                      ]
                  );
              else
                  echo json_encode(
                      [
                          'message' => 'there was a problem',
                          'status' => 'error'
                      ]
                  );

And the password recovery code:

        $data = $app->request->getJsonRawBody();
        $data = (array) $data;
        $codigo = CodigosPassword::findFirst([
            'conditions' => [
                'correo' => $data['correo'],
                'codigo' => $data['codigo']
            ]
        ]);
        if(!$codigo){
            echo json_encode([
                'message' => 'there is no password recovery request',
                'status' => 'nocode'
            ]); die();
        }
        $usuario = Users::findFirst([
            'conditions' => [
                'email' => $data['correo']
            ]
        ]);
        $security = new Security();
        $usuario->password = $security->hash($data['password']);
        try{
            $codigo->delete();
            $usuario->save();
            $sendResult = $cliente_correo->sendEmail("[email protected]", 
                $data['correo'], 
                "Se ha cambiado su contraseña de acceso",
                "Se ha reestablecido la contraseña exitosamente");
            echo json_encode(
                [
                    'message' => 'La contraseña ha sido cambiada exitosamente',
                    'status' => 'success'
                ]
            );
        }

:(

edited Aug '20

At first glance this all looks fine.

What does it look like if you do this:

echo $security->hash($input_password).'<br/ >'.$db_password;

Theoretically those should look the same.

Might there be extra whitespace somewhere?

No, it was changed 2 times. I realize that it is a phalcon problem, then i upgrade it to the version 4.06, the password issue was solved and another problem comes. Using Phalcon 4.06 MICRO with PHP 7.4 in DEV send the CORS headers OK but, in Godaddy shared hosting with aparently the same configuration the CORS headers are missing. What a headache.

At first glance this all looks fine.

What does it look like if you do this:

echo $security->hash($input_password).'<br/ >'.$db_password;

Theoretically those should look the same.

Might there be extra whitespace somewhere?