PASSWORD_ARGON2ID is a conditional constant

[MGatner]

#68 introduced alternate hashing algorithms, but the constant PASSWORD_ARGON2ID is only available if PHP has been compiled with Argon2 support, not a current requirement for Myth:Auth or CodeIgniter4. This causes syntax errors when trying to load the config file or using the User entity or LocalAuthenticator.

Either backing out the changes for Argon2 or adding some conditional constant definition?

[lonnieezell]

Oh, dang, forgot about that. I think uses the ints instead of the constant would solve it:

public $hashMemoryCost = 1024; // PASSWORD_ARGON2_DEFAULT_MEMORY_COST

[fefo-p]

**PASSWORD_ARGON2I** - Use the Argon2i hashing algorithm to create the hash. This algorithm is only available if PHP has been compiled with Argon2 support.
**PASSWORD_ARGON2ID** - Use the Argon2id hashing algorithm to create the hash. This algorithm is only available if PHP has been compiled with Argon2 support.

You're right. I understood it came by default with php 7.2.
Sorry for that.

Lonnie, not quite. If it's not compiled with ARGON2I support, it won't matter If you use ints or the constant name. I just won't work as it will not know the algorithm to use.
If it does have support compiled into php, then constants or ints is the same.

Will check the condition to load ARGON2i if it has support, and maybe default to BCRYPT or DEFAULT if it doesn't.
What do you think?

[fefo-p]

BTW, Argon2i comes as of PHP 7.2 and Argon2iD as of PHP 7.3

[MGatner]

I'm on 7.2.19 and got the error. I think a fresh install might include it by default but upgrades from previous PHP versions not compiled with the support won't add it. Just a guess though

[fefo-p]

Yes, I meant the possibility of having it :)

[MGatner]

Oh! Sorry, misunderstood. It does appear to be compiled by default at some point, best as I can tell. Pretty new library so not a lot of clear info on it.

[fefo-p]

What do you think about defaulting to BCRYPT instead of DEFAULT?
Or maybe we can add another CONSTANT named $fallbackHashAlgorithm?

[lonnieezell]

What do you think about defaulting to BCRYPT instead of DEFAULT?
Or maybe we can add another CONSTANT named $fallbackHashAlgorithm?

What is the issue with defaulting to DEFAULT? I believe in most (all?) versions of PHP that's Bcrypt anyway. If the system has a different one set (or a new PHP version is installed that defaults to a different algo) then Myth:Auth upgrades the passwords for them.

[fefo-p]

Something like:

in Auth config
// Valid values are PASSWORD_DEFAULT, PASSWORD_BCRYPT and PASSWORD_ARGON2I.
public $hashAlgorithm = PASSWORD_ARGON2I;
public $fallbackHashAlgorithm = PASSWORD_DEFAULT;

and in User Entity
if( defined(PASSWORD_ARGON2I) && ($config->hashAlgorithm == PASSWORD_ARGON2I))
{
$hashOptions = [
'memory_cost' => $config->hashMemoryCost,
'time_cost' => $config->hashTimeCost,
'threads' => $config->hashThreads
];
}
else
{
$config->hashAlgorithm = $config->$fallbackHashAlgorithm;

[fefo-p]

True Lonnie, I got carried away :)

[MGatner]

You can’t even use the constant PASSWORD_ARGON2I without having the module installed

[fefo-p]

Exactly, in which case defined(PASSWORD_ARGON2I) would be false

[MGatner]

Yes but the config file will fail to load if you have this:
public $hashAlgorithm = PASSWORD_ARGON2I;

[fefo-p]

Ok, so maybe it's better to ship it with DEFAULT as default value, but keep the User Entity changes in case it has support and admin choses to set it in config

[fefo-p]

Nope, true problem is we cannot use a conditional in a class definition (Auth) so there's no way to check if there's support for these constants.

[MGatner]

I think this would work:

public $hashAlgorithm = defined(PASSWORD_ARGON2I) ? PASSWORD_ARGON2I : PASSWORD_DEFAULT;

But I think it would also be a fine solution to ship with PASSWORD_DEFAULT and instructions on the other options, then use defined() in Entity as you have it, for folks who wanted to go that route.

[fefo-p]

Not sure, it may become complex if you take into account ARGON2ID as well. One too many if's

[fefo-p]

Would look like this

if (
(defined(PASSWORD_ARGON2I) && ($config->hashAlgorithm == PASSWORD_ARGON2I))
||
(defined(PASSWORD_ARGON2ID) && ($config->hashAlgorithm == PASSWORD_ARGON2ID))
)
If you're ok with it, I can implement it, but there has to be another way to make it cleaner

[fefo-p]

Won't work.
I tried this -without support for 2ID- and it throws an exception.
Error available in https://ibb.co/mGv3gLs
Maybe it's better to fallback to state previous to merge.

[fefo-p]

Found the issue. Will pr in a minute

[fefo-p]

Corrected in fix #74
Can be closed now

[MGatner]

Confirmed working! Thanks for the quick PR