Giter VIP home page Giter VIP logo

Comments (3)

alexgisby avatar alexgisby commented on August 21, 2024

Hey @kenesa,

Yep you're totally right, this was something that's been nagging me for a while and I haven't had a chance to look at. I should be able to over the weekend if you can hold on, or if you'd like to submit a pull request I'd be more than happy to review it :)

My thoughts were that the Auth class should probably have a setAlgorithm() and getAlgorithm() pair that then gets passed into the password_hash etc function, but if you can think of a cleaner way please do, otherwise I'll get this patched over the weekend.

Thanks for the report!

Alex

from auth.

kenesa avatar kenesa commented on August 21, 2024

Hello Alex,

My concern with a setter/getter for the algorithm is you are now using two different methods of configuration for password_hash(). Both the algo argument and cost options have the same importance, in my mind, to ensuring we have a secure password hash.

As for a clean way to address this, that is a little more complex. Without breaking backwards compatability, I would recommend:

        $defaultOptions = array(
            'algo' => PASSWORD_BCRYPT,
            'cost' => 8,
        );

    public function hashPassword($pass)
    {
        $algo = $this->options['algo'];
        $optn = array('cost' => $this->options['cost']);
        return password_hash($pass, $algo, $otpn);
    }

It has the benifit as totally plug-n-play with prior releases, yet allows the ability to override the algorithm when needed.

However, this still has a bit of an issue should the password_hash() internal method for generating a salt value is compromised, or there are more options made available in future releases of PHP. To fully solve this cleanly, would required breaking backwards compatability from a configuration point of view.

        $defaultOptions = array(
            'password_hash' = array(
                'algo' => PASSWORD_DEFAULT,
                'options' = array(
                    'cost' => 8,
                ),
            )
        );

    public function hashPassword($pass)
    {
        $algo = $this->options['password_hash']['algo'];
        $optn = $this->options['password_hash']['options'];
        return password_hash($pass, $algo, $optn);
    }

This method focuses the password_hash() configuration in a manner that does not limit any changes you might make to Auth configuration, and eliminates the need to make any changes until such time that the password_hash() signature changes.

from auth.

alexgisby avatar alexgisby commented on August 21, 2024

Looking through the code, we actually don't return the options to the user at any point, so we could do anything we want internally to that array without worry. So you could do something like:

$defaultOptions = array(
            'algo' => PASSWORD_BCRYPT,
            'cost' => 8,
        );

    public function hashPassword($pass)
    {
        $optn = $this->options;
        $algo = $optn['algo'];
        unset($optn['algo']);
        return password_hash($pass, $algo, $otpn);
    }

That way the options array can have other values included within it without worrying about the algo cluttering it up.

Though it's just occurred to me that we may have missed a far more obvious solution. You're totally right, defining the algorithm is a vital part of the lib, so why not append it to the constructor?

public function __construct($name, SessionDelegate $session, StorageDelegate $storage, array $options = array(), $algorithm = PASSWORD_DEFAULT)

There's no BC break since we supply a default arg, and it allows users to change up what algo they use? How does that feel?

from auth.

Related Issues (4)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.