From 6a1be5ac2fb6afd2e3dbcc2bed17f0e2ae357931 Mon Sep 17 00:00:00 2001
From: "Florine W. Dekker" <florine@fwdekker.com>
Date: Wed, 30 Aug 2023 22:35:35 +0200
Subject: [PATCH] Use Argon2 instead of bcrypt

Passwords currently stored under bcrypt are not automatically converted. Argon2 is only used for new passwords from this moment on.
---
 README.md                                     |   2 +-
 composer.json                                 |   2 +-
 composer.lock                                 | Bin 73553 -> 73553 bytes
 package-lock.json                             | Bin 123946 -> 123946 bytes
 package.json                                  |   2 +-
 src/main/config.default.ini.php               |   3 ++-
 .../fwdekker/deathnotifier/user/UserList.php  |   4 ++--
 7 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index ebcf3f5..1eded83 100644
--- a/README.md
+++ b/README.md
@@ -9,7 +9,7 @@ This tool regularly checks if people are still alive according to Wikipedia, and
 
 ## Development
 ### Requirements
-* PHP 8.1+ (i.e. `apt install php php-cgi`)
+* PHP 8.1+ (i.e. `apt install php php-cgi`) (compiled with Argon2 support)
   * [PHP cURL](https://www.php.net/manual/en/book.curl.php) (i.e. `apt install php-curl`)
   * [PHP DOM](https://www.php.net/manual/en/book.dom.php) (i.e. `apt install php-dom`)
   * [PHP SQLite 3](https://www.php.net/manual/en/book.sqlite3.php) (i.e. `apt install php-sqlite3`)
diff --git a/composer.json b/composer.json
index 5d45755..64b7e0e 100644
--- a/composer.json
+++ b/composer.json
@@ -1,7 +1,7 @@
 {
     "name": "fwdekker/death-notifier",
     "description": "Get notified when a famous person dies.",
-    "version": "1.1.2", "_comment_version": "Also update version in `package.json`!",
+    "version": "1.2.0", "_comment_version": "Also update version in `package.json`!",
     "type": "project",
     "license": "MIT",
     "homepage": "https://git.fwdekker.com/tools/death-notifier",
diff --git a/composer.lock b/composer.lock
index 73fa2daa56e890292b0eea37c4a3c694f1077709..3081e18ea5833f574ad5d56c3d3f2a08f4536ade 100644
GIT binary patch
delta 51
zcmcb(kLBV%mJPy;3I^tBX(_2`2Byg-rpAfMre>)oNhTJl#%5{BhRMlE=FP^8+l?6+
G<>Uar_780U

delta 51
zcmcb(kLBV%mJPy;3W+AE=B6o@My5#y28n4VmPQ5^X-Sr;X~{{Z#%bnh2F=Ed+l?6+
G<>UagQx6aT

diff --git a/package-lock.json b/package-lock.json
index 166ad25a5881ee03bc4f046b6d817abdfbf04f07..7b3ca7988e70b479f5dcd164f35707107ec7cecf 100644
GIT binary patch
delta 26
hcmZ2=f_>Eq_6bIlWo)=6+VlV^;l|rrZ!`Ko1^|-Y3m^ah

delta 26
hcmZ2=f_>Eq_6bIlyX?3o+VlV^;l|rrZ!`Ko1^}L_3;+NC

diff --git a/package.json b/package.json
index 4265f9b..aa73e2e 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
     "name": "death-notifier",
-    "version": "1.1.2", "_comment_version": "Also update version in `composer.json`!",
+    "version": "1.2.0", "_comment_version": "Also update version in `composer.json`!",
     "description": "Get notified when a famous person dies.",
     "author": "Florine W. Dekker",
     "browser": "dist/bundle.js",
diff --git a/src/main/config.default.ini.php b/src/main/config.default.ini.php
index 1a62b89..82429c8 100644
--- a/src/main/config.default.ini.php
+++ b/src/main/config.default.ini.php
@@ -1,7 +1,8 @@
 ;<?php exit(); ?>
 
 [admin]
-# bcrypt hash of password to use the CLI of `api.php`. If set to its default value, or if empty, the CLI is disabled.
+# PHC formatted hash of password to use the CLI of `api.php`. If set to its default value, or if empty, the CLI is
+# disabled.
 cli_password = REPLACE THIS WITH A SECRET VALUE
 
 [database]
diff --git a/src/main/php/com/fwdekker/deathnotifier/user/UserList.php b/src/main/php/com/fwdekker/deathnotifier/user/UserList.php
index 8df3327..849047f 100644
--- a/src/main/php/com/fwdekker/deathnotifier/user/UserList.php
+++ b/src/main/php/com/fwdekker/deathnotifier/user/UserList.php
@@ -104,7 +104,7 @@ class UserList
                                                 VALUES (:email, :password)
                                                 RETURNING email_verification_token;");
         $stmt->bindValue(":email", $email);
-        $stmt->bindValue(":password", password_hash($password, PASSWORD_BCRYPT));
+        $stmt->bindValue(":password", password_hash($password, PASSWORD_ARGON2ID));
         $stmt->execute();
         return $stmt->fetchAll(PDO::FETCH_ASSOC)[0]["email_verification_token"];
     }
@@ -270,7 +270,7 @@ class UserList
                                                     password_reset_token=null
                                                 WHERE uuid=:uuid;");
         $stmt->bindValue(":uuid", $uuid);
-        $stmt->bindValue(":password", password_hash($password, PASSWORD_BCRYPT));
+        $stmt->bindValue(":password", password_hash($password, PASSWORD_ARGON2ID));
         $stmt->execute();
     }