Skip to content

Commit cbf8e47

Browse files
authored
Merge pull request #1498 from benedmunds/benedmunds-remove-admin-hashing
Remove admin specific hash params, use the same params for all users
2 parents 5e9cf42 + c94dc71 commit cbf8e47

2 files changed

Lines changed: 15 additions & 36 deletions

File tree

config/ion_auth.php

Lines changed: 9 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -58,9 +58,9 @@
5858
| -------------------------------------------------------------------------
5959
| Bcrypt is available in PHP 5.3+
6060
| Argon2 is available in PHP 7.2
61+
| Argon2id is available in PHP 7.3
6162
|
62-
| Argon2 is recommended by expert (it is actually the winner of the Password Hashing Competition
63-
| for more information see https://password-hashing.net). So if you can (PHP 7.2), go for it.
63+
| Bcrypt is the current PHP language default.
6464
|
6565
| Bcrypt specific:
6666
| bcrypt_default_cost settings: This defines how strong the encryption will be.
@@ -73,8 +73,6 @@
7373
| With bcrypt, an example hash of "password" is:
7474
| $2y$08$200Z6ZZbp3RAEXoaWcMA6uJOFicwNZaqk4oDhqTUiFXFe63MG.Daa
7575
|
76-
| A specific parameter bcrypt_admin_cost is available for user in admin group.
77-
| It is recommended to have a stronger hashing for administrators.
7876
|
7977
| Argon2 specific:
8078
| argon2_default_params settings: This is an array containing the options for the Argon2 algorithm.
@@ -95,26 +93,20 @@
9593
| With argon2, an example hash of "password" is:
9694
| $argon2i$v=19$m=1024,t=2,p=2$VEFSSU4wSzh3cllVdE1JZQ$PDeks/7JoKekQrJa9HlfkXIk8dAeZXOzUxLBwNFbZ44
9795
|
98-
| A specific parameter argon2_admin_params is available for user in admin group.
99-
| It is recommended to have a stronger hashing for administrators.
10096
|
10197
| For more information, check the password_hash function help: http://php.net/manual/en/function.password-hash.php
10298
|
10399
*/
104-
$config['hash_method'] = 'bcrypt'; // bcrypt or argon2
105-
$config['bcrypt_default_cost'] = 10; // Set cost according to your server benchmark - but no lower than 10 (default PHP value)
106-
$config['bcrypt_admin_cost'] = 12; // Cost for user in admin group
100+
$config['hash_method'] = 'bcrypt'; // bcrypt, argon2, or argon2id
101+
$config['bcrypt_default_cost'] = defined('PASSWORD_BCRYPT_DEFAULT_COST') ? PASSWORD_BCRYPT_DEFAULT_COST : 10; // Set cost according to your server benchmark - but no lower than 10 (default PHP value)
107102
$config['argon2_default_params'] = [
108-
'memory_cost' => 1 << 12, // 4MB
109-
'time_cost' => 2,
110-
'threads' => 2
111-
];
112-
$config['argon2_admin_params'] = [
113-
'memory_cost' => 1 << 14, // 16MB
114-
'time_cost' => 4,
115-
'threads' => 2
103+
'memory_cost' => defined('PASSWORD_ARGON2_DEFAULT_MEMORY_COST') ? PASSWORD_ARGON2_DEFAULT_MEMORY_COST : 1 << 12,
104+
'time_cost' => defined('PASSWORD_ARGON2_DEFAULT_TIME_COST') ? PASSWORD_ARGON2_DEFAULT_TIME_COST : 2,
105+
'threads' => defined('PASSWORD_ARGON2_DEFAULT_THREADS') ? PASSWORD_ARGON2_DEFAULT_THREADS : 2
116106
];
117107

108+
// NOTE - the admin specific hashing config fields are no longer used, all users share the same hashing params now
109+
118110
/*
119111
| -------------------------------------------------------------------------
120112
| Authentication options.

models/Ion_auth_model.php

Lines changed: 6 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -280,7 +280,7 @@ public function db()
280280
* Hashes the password to be stored in the database.
281281
*
282282
* @param string $password
283-
* @param string $identity
283+
* @param string Deprecated, identity is no longer used when hashing passwords
284284
*
285285
* @return false|string
286286
* @author Mathew
@@ -297,7 +297,7 @@ public function hash_password($password, $identity = NULL)
297297
}
298298

299299
$algo = $this->_get_hash_algo();
300-
$params = $this->_get_hash_parameters($identity);
300+
$params = $this->_get_hash_parameters();
301301

302302
if ($algo !== FALSE && $params !== FALSE)
303303
{
@@ -357,7 +357,7 @@ public function verify_password($password, $hash_password_db, $identity = NULL)
357357
public function rehash_password_if_needed($hash, $identity, $password)
358358
{
359359
$algo = $this->_get_hash_algo();
360-
$params = $this->_get_hash_parameters($identity);
360+
$params = $this->_get_hash_parameters();
361361

362362
if ($algo !== FALSE && $params !== FALSE)
363363
{
@@ -2605,37 +2605,24 @@ protected function _random_token($result_length = 32)
26052605

26062606
/** Retrieve hash parameter according to options
26072607
*
2608-
* @param string $identity
2608+
* @param string Deprecated, identity is no longer used when hashing passwords
26092609
*
26102610
* @return array|bool
26112611
*/
26122612
protected function _get_hash_parameters($identity = NULL)
26132613
{
2614-
// Check if user is administrator or not
2615-
$is_admin = FALSE;
2616-
if ($identity)
2617-
{
2618-
$user_id = $this->get_user_id_from_identity($identity);
2619-
if ($user_id && $this->in_group($this->config->item('admin_group', 'ion_auth'), $user_id))
2620-
{
2621-
$is_admin = TRUE;
2622-
}
2623-
}
2624-
26252614
$params = FALSE;
26262615
switch ($this->hash_method)
26272616
{
26282617
case 'bcrypt':
26292618
$params = [
2630-
'cost' => $is_admin ? $this->config->item('bcrypt_admin_cost', 'ion_auth')
2631-
: $this->config->item('bcrypt_default_cost', 'ion_auth')
2619+
'cost' => $this->config->item('bcrypt_default_cost', 'ion_auth')
26322620
];
26332621
break;
26342622

26352623
case 'argon2':
26362624
case 'argon2id':
2637-
$params = $is_admin ? $this->config->item('argon2_admin_params', 'ion_auth')
2638-
: $this->config->item('argon2_default_params', 'ion_auth');
2625+
$params = $this->config->item('argon2_default_params', 'ion_auth');
26392626
break;
26402627

26412628
default:

0 commit comments

Comments
 (0)