Skip to content

Commit

Permalink
Password hashers - redact passwords
Browse files Browse the repository at this point in the history
  • Loading branch information
mabar committed Oct 18, 2023
1 parent e4821ce commit 1b13123
Show file tree
Hide file tree
Showing 5 changed files with 49 additions and 8 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.

## [Unreleased](https://github.com/orisai/auth/compare/2.0.0...v2.x)

### Changed

- Password hashers - redact passwords

## [2.0.0](https://github.com/orisai/auth/compare/1.0.4...2.0.0) - 2023-03-01

### Added
Expand Down
13 changes: 11 additions & 2 deletions src/Passwords/Argon2PasswordHasher.php
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@

use Orisai\Utils\Dependencies\Dependencies;
use Orisai\Utils\Dependencies\Exception\ExtensionRequired;
use SensitiveParameter;
use function assert;
use function password_hash;
use function password_needs_rehash;
Expand Down Expand Up @@ -42,7 +43,11 @@ public function __construct(?int $timeCost = null, ?int $memoryCost = null, ?int
$this->threads = $threads ?? 4;
}

public function hash(string $raw): string
// phpcs:ignore SlevomatCodingStandard.Classes.RequireSingleLineMethodSignature
public function hash(
#[SensitiveParameter]
string $raw
): string
{
$hash = password_hash($raw, PASSWORD_ARGON2ID, $this->getOptions());
assert($hash !== false); // Since php 7.4 password_hash cannot return false

Check warning on line 53 in src/Passwords/Argon2PasswordHasher.php

View workflow job for this annotation

GitHub Actions / Test for mutants (ubuntu-latest, 8.1)

Escaped Mutant for Mutator "FalseValue": --- Original +++ New @@ @@ public function hash(#[SensitiveParameter] string $raw) : string { $hash = password_hash($raw, PASSWORD_ARGON2ID, $this->getOptions()); - assert($hash !== false); + assert($hash !== true); // Since php 7.4 password_hash cannot return false assert($hash !== null); // All failing conditions are handled
Expand All @@ -60,7 +65,11 @@ public function needsRehash(string $hashed): bool
return password_needs_rehash($hashed, PASSWORD_ARGON2ID, $this->getOptions());
}

public function isValid(string $raw, string $hashed): bool
public function isValid(
#[SensitiveParameter]
string $raw,
string $hashed
): bool
{
if (!$this->isArgonHashed($hashed)) {
return false;
Expand Down
13 changes: 11 additions & 2 deletions src/Passwords/BcryptPasswordHasher.php
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

namespace Orisai\Auth\Passwords;

use SensitiveParameter;
use function assert;
use function password_hash;
use function password_needs_rehash;
Expand All @@ -23,7 +24,11 @@ public function __construct(int $cost = 13)
$this->cost = $cost;
}

public function hash(string $raw): string
// phpcs:ignore SlevomatCodingStandard.Classes.RequireSingleLineMethodSignature
public function hash(
#[SensitiveParameter]
string $raw
): string
{
$hash = password_hash($raw, PASSWORD_BCRYPT, $this->getOptions());
assert($hash !== false); // Since php 7.4 password_hash cannot return false

Check warning on line 34 in src/Passwords/BcryptPasswordHasher.php

View workflow job for this annotation

GitHub Actions / Test for mutants (ubuntu-latest, 8.1)

Escaped Mutant for Mutator "FalseValue": --- Original +++ New @@ @@ public function hash(#[SensitiveParameter] string $raw) : string { $hash = password_hash($raw, PASSWORD_BCRYPT, $this->getOptions()); - assert($hash !== false); + assert($hash !== true); // Since php 7.4 password_hash cannot return false assert($hash !== null); // All failing conditions are handled
Expand All @@ -41,7 +46,11 @@ public function needsRehash(string $hashed): bool
return password_needs_rehash($hashed, PASSWORD_BCRYPT, $this->getOptions());
}

public function isValid(string $raw, string $hashed): bool
public function isValid(
#[SensitiveParameter]
string $raw,
string $hashed
): bool
{
if (!$this->isBcryptHashed($hashed)) {
return false;
Expand Down
14 changes: 12 additions & 2 deletions src/Passwords/PasswordHasher.php
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,23 @@

namespace Orisai\Auth\Passwords;

use SensitiveParameter;

interface PasswordHasher
{

public function hash(string $raw): string;
// phpcs:ignore SlevomatCodingStandard.Classes.RequireSingleLineMethodSignature
public function hash(
#[SensitiveParameter]
string $raw
): string;

public function needsRehash(string $hashed): bool;

public function isValid(string $raw, string $hashed): bool;
public function isValid(
#[SensitiveParameter]
string $raw,
string $hashed
): bool;

}
13 changes: 11 additions & 2 deletions src/Passwords/UpgradingPasswordHasher.php
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

namespace Orisai\Auth\Passwords;

use SensitiveParameter;
use function password_verify;

final class UpgradingPasswordHasher implements PasswordHasher
Expand All @@ -21,7 +22,11 @@ public function __construct(PasswordHasher $preferredHasher, array $outdatedHash
$this->outdatedHashers = $outdatedHashers;
}

public function hash(string $raw): string
// phpcs:ignore SlevomatCodingStandard.Classes.RequireSingleLineMethodSignature
public function hash(
#[SensitiveParameter]
string $raw
): string
{
return $this->preferredHasher->hash($raw);
}
Expand All @@ -31,7 +36,11 @@ public function needsRehash(string $hashed): bool
return $this->preferredHasher->needsRehash($hashed);
}

public function isValid(string $raw, string $hashed): bool
public function isValid(
#[SensitiveParameter]
string $raw,
string $hashed
): bool
{
if ($this->preferredHasher->isValid($raw, $hashed)) {
return true;
Expand Down

0 comments on commit 1b13123

Please sign in to comment.