Use Argon2 instead of bcrypt

Passwords currently stored under bcrypt are not automatically converted. Argon2 is only used for new passwords from this moment on.
2023-08-30 22:35:35 +02:00 · 2023-08-30 22:35:35 +02:00 · 6a1be5ac2f
parent 7b86673590
commit 6a1be5ac2f
7 changed files with 7 additions and 6 deletions
--- a/README.md
+++ b/README.md
@ -9,7 +9,7 @@ This tool regularly checks if people are still alive according to Wikipedia, and

 ## Development
 ### Requirements
-* PHP 8.1+ (i.e. `apt install php php-cgi`)
+* PHP 8.1+ (i.e. `apt install php php-cgi`) (compiled with Argon2 support)
  * [PHP cURL](https://www.php.net/manual/en/book.curl.php) (i.e. `apt install php-curl`)
  * [PHP DOM](https://www.php.net/manual/en/book.dom.php) (i.e. `apt install php-dom`)
  * [PHP SQLite 3](https://www.php.net/manual/en/book.sqlite3.php) (i.e. `apt install php-sqlite3`)
--- a/composer.json
+++ b/composer.json
@ -1,7 +1,7 @@
 {
    "name": "fwdekker/death-notifier",
    "description": "Get notified when a famous person dies.",
-    "version": "1.1.2", "_comment_version": "Also update version in `package.json`!",
+    "version": "1.2.0", "_comment_version": "Also update version in `package.json`!",
    "type": "project",
    "license": "MIT",
    "homepage": "https://git.fwdekker.com/tools/death-notifier",
--- a/composer.lock
+++ b/composer.lock
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
    "name": "death-notifier",
-    "version": "1.1.2", "_comment_version": "Also update version in `composer.json`!",
+    "version": "1.2.0", "_comment_version": "Also update version in `composer.json`!",
    "description": "Get notified when a famous person dies.",
    "author": "Florine W. Dekker",
    "browser": "dist/bundle.js",
--- a/src/main/config.default.ini.php
+++ b/src/main/config.default.ini.php
@ -1,7 +1,8 @@
 ;<?php exit(); ?>

 [admin]
-# bcrypt hash of password to use the CLI of `api.php`. If set to its default value, or if empty, the CLI is disabled.
+# PHC formatted hash of password to use the CLI of `api.php`. If set to its default value, or if empty, the CLI is
+# disabled.
 cli_password = REPLACE THIS WITH A SECRET VALUE

 [database]
--- a/src/main/php/com/fwdekker/deathnotifier/user/UserList.php
+++ b/src/main/php/com/fwdekker/deathnotifier/user/UserList.php
@ -104,7 +104,7 @@ class UserList
                                                VALUES (:email, :password)
                                                RETURNING email_verification_token;");
        $stmt->bindValue(":email", $email);
-        $stmt->bindValue(":password", password_hash($password, PASSWORD_BCRYPT));
+        $stmt->bindValue(":password", password_hash($password, PASSWORD_ARGON2ID));
        $stmt->execute();
        return $stmt->fetchAll(PDO::FETCH_ASSOC)[0]["email_verification_token"];
    }
@ -270,7 +270,7 @@ class UserList
                                                    password_reset_token=null
                                                WHERE uuid=:uuid;");
        $stmt->bindValue(":uuid", $uuid);
-        $stmt->bindValue(":password", password_hash($password, PASSWORD_BCRYPT));
+        $stmt->bindValue(":password", password_hash($password, PASSWORD_ARGON2ID));
        $stmt->execute();
    }