Add support for argon2#808
Conversation
|
Thanks for the PR @Ph0tonic! In regards to this:
According to the docs for this method, it supports being called with https://www.php.net/manual/en/function.ldap-exop-passwd.php function ldap_exop_passwd(
LDAP\Connection $ldap,
string $user = "",
#[\SensitiveParameter] string $old_password = "",
#[\SensitiveParameter] string $new_password = "",
array &$controls = null
): string|boolSo it looks like we may be able to support the same flow without throwing the exception here. We could extract the mechanism for changing passwords into some interface and classes depending on the method being used. Maybe something like (psuedo-code): $changer = match (strtolower($method)) {
'argon2i', 'argon2id' => new ArgonPasswordChanger(...),
default => new DefaultPasswordChanger(...),
};Thoughts? |
|
In other words I think we should implement the full operation here instead of in a follow up, because if the exception is no longer thrown then that's a major breaking change. |
2 participants
Hey, here is a PR to support argon hashing algorithm 🎉
Add argon2i and argon2id password hashing support
Adds
Password::argon2i()andPassword::argon2id()methods to thePasswordclass, enabling use of the{ARGON2I}and{ARGON2ID}userPassword schemes supported by OpenLDAP via thepw-argon2module.Changes
Password::argon2i()andPassword::argon2id()static methods using PHP's nativepassword_hash()LdapRecordExceptionwhen attempting to change an argon2 password using the array syntax ($user->password = ['old', 'new']), since argon2 hashes are non-deterministic and the old hash cannot be reproduced to satisfy the LDAPREMOVEoperationNotes
pw-argon2contrib module to be loaded server-side (moduleload pw-argon2) — without it, the server will reject the{ARGON2ID}scheme$user->password = 'new') works as expected; only the password change (array) flow is unsupported — this can be addressed in a follow-up by implementing the LDAP Password Modify extended operation (ldap_exop_passwd)