[#18254] - [3.9] Support specifying the password hashing algorithm to use
- Fixed in Code Base
- 18 Oct 2017
- Medium
- Build: 3.9-dev
- # 18254
- Diff
- mbabker:password-hash-specify-algo
User tests: Successful: Unsuccessful:
Summary of Changes
In 3.8 we silently added support for validating Argon2i password hashes, a feature present in PHP 7.2. However, our API still only supports generating bcrypt password hashes. This PR adjusts Joomla\CMS\User\UserHelper::hashPassword() to allow specifying the hashing algorithm for use as well as the ability to pass options forward into the native password_hash() function.
Testing Instructions
For normal use of the CMS, nothing changes. User password hashes are still generated with bcrypt and users are able to log in without issue. For those on a PHP 7.2 build with Argon2i support (note that while this is available in the sodium extension, right now we only support its use through the PHP password_* functions which requires PHP compiled with the Argon2 library available), they should be able to call Joomla\CMS\User\UserHelper::hashPassword('myPassword', PASSWORD_ARGON2I); and receive a password hashed with the Argon2i algorithm.
Documentation Changes Required
API additions documented.
joomla-cms-bot
- | Category | ⇒ | Libraries Unit Tests |
| Status | New | ⇒ | Pending |
| Labels |
Added:
?
?
|
||
you can run this small php code as test.php in your dokument root.
<?php
if (!defined('PASSWORD_ARGON2I'))
{
echo 'no argon2i support';
}
else
{
echo 'there is argon2i support';
}
Aiii, no argon2i support here. But I have another option that might be better in this sense..
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/18254.
Nope. 7.2.0RC3 in the other box also has no Argon2i support, based on above test-method.
In order to test someone will have to compile it him/herself. Which makes me wonder, how do we know that any hoster is going to support this in the near future?
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/18254.
We don't know what hosts will or will not be supporting. And to be honest I'm not entirely concerned about hosting support for it right now. The primary goal with this PR is to do two things with our API:
- Introduce support for a PHP 7.2 feature
- Ensure our API exposes all features of the native PHP API we're using so that we don't inherently restrict its use
Even right now our CI builds don't support the Argon2i library, we would have to add some build time on PHP 7.2+ to compile it in. So I expect it's probably going to be a low use feature for many PHP folks for a while (in part because it's a new library to use in the PHP binary and in part because implementing Argon2i hashing in existing applications comes with a migration task).
wilsonge
- | Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2017-10-18 22:06:52 |
| Closed_By | ⇒ | wilsonge |
How do I check of my copy of 7.2.0dev has been compiled with the Argon2 library?
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/18254.