PASSWORD_ARGON2ID is a conditional constant about myth-auth HOT 22 CLOSED

Oh, dang, forgot about that. I think uses the ints instead of the constant would solve it:

public $hashMemoryCost = 1024; // PASSWORD_ARGON2_DEFAULT_MEMORY_COST

from myth-auth.

**PASSWORD_ARGON2I** - Use the Argon2i hashing algorithm to create the hash. This algorithm is only available if PHP has been compiled with Argon2 support.
**PASSWORD_ARGON2ID** - Use the Argon2id hashing algorithm to create the hash. This algorithm is only available if PHP has been compiled with Argon2 support.

You're right. I understood it came by default with php 7.2.
Sorry for that.

Lonnie, not quite. If it's not compiled with ARGON2I support, it won't matter If you use ints or the constant name. I just won't work as it will not know the algorithm to use.
If it does have support compiled into php, then constants or ints is the same.

Will check the condition to load ARGON2i if it has support, and maybe default to BCRYPT or DEFAULT if it doesn't.
What do you think?

from myth-auth.

BTW, Argon2i comes as of PHP 7.2 and Argon2iD as of PHP 7.3

from myth-auth.

I'm on 7.2.19 and got the error. I think a fresh install might include it by default but upgrades from previous PHP versions not compiled with the support won't add it. Just a guess though

from myth-auth.

Yes, I meant the possibility of having it :)

from myth-auth.

Oh! Sorry, misunderstood. It does appear to be compiled by default at some point, best as I can tell. Pretty new library so not a lot of clear info on it.

from myth-auth.

What do you think about defaulting to BCRYPT instead of DEFAULT?
Or maybe we can add another CONSTANT named $fallbackHashAlgorithm?

from myth-auth.

What do you think about defaulting to BCRYPT instead of DEFAULT?
Or maybe we can add another CONSTANT named $fallbackHashAlgorithm?

What is the issue with defaulting to DEFAULT? I believe in most (all?) versions of PHP that's Bcrypt anyway. If the system has a different one set (or a new PHP version is installed that defaults to a different algo) then Myth:Auth upgrades the passwords for them.

from myth-auth.

Something like:

in Auth config
// Valid values are PASSWORD_DEFAULT, PASSWORD_BCRYPT and PASSWORD_ARGON2I.
public $hashAlgorithm = PASSWORD_ARGON2I;
public $fallbackHashAlgorithm = PASSWORD_DEFAULT;

and in User Entity
if( defined(PASSWORD_ARGON2I) && ($config->hashAlgorithm == PASSWORD_ARGON2I))
{
$hashOptions = [
'memory_cost' => $config->hashMemoryCost,
'time_cost' => $config->hashTimeCost,
'threads' => $config->hashThreads
];
}
else
{
$config->hashAlgorithm = $config->$fallbackHashAlgorithm;

from myth-auth.

True Lonnie, I got carried away :)

from myth-auth.

You can’t even use the constant PASSWORD_ARGON2I without having the module installed

from myth-auth.

Exactly, in which case defined(PASSWORD_ARGON2I) would be false

from myth-auth.

Yes but the config file will fail to load if you have this:
public $hashAlgorithm = PASSWORD_ARGON2I;

from myth-auth.

Ok, so maybe it's better to ship it with DEFAULT as default value, but keep the User Entity changes in case it has support and admin choses to set it in config

from myth-auth.

Nope, true problem is we cannot use a conditional in a class definition (Auth) so there's no way to check if there's support for these constants.

from myth-auth.

I think this would work:

public $hashAlgorithm = defined(PASSWORD_ARGON2I) ? PASSWORD_ARGON2I : PASSWORD_DEFAULT;

But I think it would also be a fine solution to ship with PASSWORD_DEFAULT and instructions on the other options, then use defined() in Entity as you have it, for folks who wanted to go that route.

from myth-auth.

Not sure, it may become complex if you take into account ARGON2ID as well. One too many if's

from myth-auth.

Would look like this

if (
(defined(PASSWORD_ARGON2I) && ($config->hashAlgorithm == PASSWORD_ARGON2I))
||
(defined(PASSWORD_ARGON2ID) && ($config->hashAlgorithm == PASSWORD_ARGON2ID))
)
If you're ok with it, I can implement it, but there has to be another way to make it cleaner

from myth-auth.

Won't work.
I tried this -without support for 2ID- and it throws an exception.
Error available in https://ibb.co/mGv3gLs
Maybe it's better to fallback to state previous to merge.

from myth-auth.

Found the issue. Will pr in a minute

from myth-auth.

Corrected in fix #74
Can be closed now

from myth-auth.

Confirmed working! Thanks for the quick PR

from myth-auth.