|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
declare(strict_types=1); |
|
4
|
|
|
|
|
5
|
|
|
namespace Yiisoft\Security; |
|
6
|
|
|
|
|
7
|
|
|
/** |
|
8
|
|
|
* PasswordHasher allows generating password hash and verifying passwords against a hash. |
|
9
|
|
|
*/ |
|
10
|
|
|
final class PasswordHasher |
|
11
|
|
|
{ |
|
12
|
|
|
private ?string $algorithm; |
|
13
|
|
|
private array $parameters; |
|
14
|
|
|
|
|
15
|
|
|
private const SAFE_PARAMETERS = [ |
|
16
|
|
|
PASSWORD_BCRYPT => [ |
|
17
|
|
|
'cost' => 13, |
|
18
|
|
|
], |
|
19
|
|
|
]; |
|
20
|
|
|
|
|
21
|
|
|
/** |
|
22
|
|
|
* @param string|null $algorithm Algorithm to use. If not specified, PHP chooses safest algorithm available in the |
|
23
|
|
|
* current version of PHP. |
|
24
|
|
|
* @param array|null $parameters Algorithm parameters. If not specified, safe defaults are used. |
|
25
|
|
|
* |
|
26
|
|
|
* @see https://www.php.net/manual/en/function.password-hash.php |
|
27
|
|
|
*/ |
|
28
|
5 |
|
public function __construct(?string $algorithm = PASSWORD_DEFAULT, array $parameters = null) |
|
29
|
|
|
{ |
|
30
|
5 |
|
$this->algorithm = $algorithm; |
|
31
|
|
|
|
|
32
|
5 |
|
if ($parameters === null) { |
|
33
|
4 |
|
$this->parameters = self::SAFE_PARAMETERS[$algorithm] ?? []; |
|
34
|
|
|
} else { |
|
35
|
1 |
|
$this->parameters = $parameters; |
|
36
|
|
|
} |
|
37
|
|
|
} |
|
38
|
|
|
|
|
39
|
|
|
/** |
|
40
|
|
|
* Generates a secure hash from a password and a random salt. |
|
41
|
|
|
* |
|
42
|
|
|
* The generated hash can be stored in database. |
|
43
|
|
|
* Later when a password needs to be validated, the hash can be fetched and passed |
|
44
|
|
|
* to {@see validate()}. For example, |
|
45
|
|
|
* |
|
46
|
|
|
* ```php |
|
47
|
|
|
* // generates the hash (usually done during user registration or when the password is changed) |
|
48
|
|
|
* $hash = (new PasswordHasher())->hash($password); |
|
49
|
|
|
* // ...save $hash in database... |
|
50
|
|
|
* |
|
51
|
|
|
* // during login, validate if the password entered is correct using $hash fetched from database |
|
52
|
|
|
* if ((new PasswordHasher())->validate($password, $hash)) { |
|
53
|
|
|
* // password is good |
|
54
|
|
|
* } else { |
|
55
|
|
|
* // password is bad |
|
56
|
|
|
* } |
|
57
|
|
|
* ``` |
|
58
|
|
|
* |
|
59
|
|
|
* @param string $password The password to be hashed. |
|
60
|
|
|
* |
|
61
|
|
|
* @return string The password hash string. The output length might increase |
|
62
|
|
|
* in future versions of PHP (http://php.net/manual/en/function.password-hash.php) |
|
63
|
|
|
* |
|
64
|
|
|
* @see validate() |
|
65
|
|
|
* @psalm-suppress InvalidNullableReturnType |
|
66
|
|
|
* @psalm-suppress NullableReturnStatement |
|
67
|
|
|
*/ |
|
68
|
3 |
|
public function hash(string $password): string |
|
69
|
|
|
{ |
|
70
|
3 |
|
return password_hash($password, $this->algorithm, $this->parameters); |
|
|
|
|
|
|
71
|
|
|
} |
|
72
|
|
|
|
|
73
|
|
|
/** |
|
74
|
|
|
* Verifies a password against a hash. |
|
75
|
|
|
* |
|
76
|
|
|
* @param string $password The password to verify. |
|
77
|
|
|
* @param string $hash The hash to verify the password against. |
|
78
|
|
|
* |
|
79
|
|
|
* @throws \InvalidArgumentException on bad password/hash parameters or if crypt() with Blowfish hash is not |
|
80
|
|
|
* available. |
|
81
|
|
|
* |
|
82
|
|
|
* @return bool whether the password is correct. |
|
83
|
|
|
* |
|
84
|
|
|
* @see hash() |
|
85
|
|
|
*/ |
|
86
|
3 |
|
public function validate(string $password, string $hash): bool |
|
87
|
|
|
{ |
|
88
|
3 |
|
if ($password === '') { |
|
89
|
1 |
|
throw new \InvalidArgumentException('Password must be a string and cannot be empty.'); |
|
90
|
|
|
} |
|
91
|
|
|
|
|
92
|
2 |
|
return password_verify($password, $hash); |
|
93
|
|
|
} |
|
94
|
|
|
} |
|
95
|
|
|
|
yiisoft /
security
Loading history...