PluginProbe ʕ •ᴥ•ʔ
Matomo Analytics – Powerful, Privacy-First Insights for WordPress / trunk
Matomo Analytics – Powerful, Privacy-First Insights for WordPress vtrunk
5.11.1 5.11.0 5.10.2 5.10.1 trunk 1.0.2 1.0.3 1.0.4 1.0.5 1.0.6 1.1.0 1.1.1 1.1.2 1.1.3 1.2.0 1.3.0 1.3.1 1.3.2 4.0.0 4.0.1 4.0.2 4.0.3 4.0.4 4.1.0 4.1.1 4.1.2 4.1.3 4.10.0 4.11.0 4.12.0 4.13.0 4.13.2 4.13.3 4.13.4 4.13.5 4.14.0 4.14.1 4.14.2 4.15.0 4.15.1 4.15.2 4.15.3 4.2.0 4.3.0 4.3.1 4.4.1 4.4.2 4.5.0 4.6.0 5.0.1 5.0.2 5.0.3 5.0.4 5.0.5 5.0.6 5.0.7 5.0.8 5.1.0 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.10.0 5.2.0 5.2.1 5.2.2 5.3.0 5.3.1 5.3.2 5.3.3 5.6.0 5.6.1 5.7.0 5.7.1 5.8.0 5.8.1 5.8.2
matomo / app / core / Auth / Password.php
matomo / app / core / Auth Last commit date
Password.php 6 months ago PasswordStrength.php 6 months ago
Password.php
121 lines
1 <?php
2
3 /**
4 * Matomo - free/libre analytics platform
5 *
6 * @link https://matomo.org
7 * @license https://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
8 */
9 namespace Piwik\Auth;
10
11 use Exception;
12 use Piwik\Config;
13 /**
14 * Main class to handle actions related to password hashing and verification.
15 *
16 * @api
17 */
18 class Password
19 {
20 /**
21 * Choose the used algorithm for password_hash depending on the config option
22 *
23 * @return string|int depending on PHP version
24 * @throws Exception
25 */
26 private function preferredAlgorithm()
27 {
28 $passwordHashAlgorithm = Config::getInstance()->General['password_hash_algorithm'];
29 switch ($passwordHashAlgorithm) {
30 case "default":
31 return \PASSWORD_DEFAULT;
32 case "bcrypt":
33 return \PASSWORD_BCRYPT;
34 case "argon2i":
35 return \PASSWORD_ARGON2I;
36 case "argon2id":
37 if (version_compare(\PHP_VERSION, '7.3.0', '<')) {
38 throw new Exception("argon2id needs at leat PHP 7.3.0");
39 }
40 return \PASSWORD_ARGON2ID;
41 default:
42 throw new Exception("invalid password_hash_algorithm");
43 }
44 }
45 /**
46 * Fetches argon2 options from config.ini.php
47 *
48 * @return array
49 */
50 private function algorithmOptions()
51 {
52 $options = [];
53 $generalConfig = Config::getInstance()->General;
54 if ($generalConfig["password_hash_argon2_threads"] != "default") {
55 $options["threads"] = max($generalConfig["password_hash_argon2_threads"], 1);
56 }
57 if ($generalConfig["password_hash_argon2_memory_cost"] != "default") {
58 $options["memory_cost"] = max($generalConfig["password_hash_argon2_memory_cost"], 8 * $options["threads"]);
59 }
60 if ($generalConfig["password_hash_argon2_time_cost"] != "default") {
61 $options["time_cost"] = max($generalConfig["password_hash_argon2_time_cost"], 1);
62 }
63 return $options;
64 }
65 /**
66 * Hashes a password with the configured algorithm.
67 *
68 * @param string $password
69 * @return string
70 */
71 public function hash(
72 #[\SensitiveParameter]
73 $password)
74 {
75 return password_hash($password, $this->preferredAlgorithm(), $this->algorithmOptions());
76 }
77 /**
78 * Returns information about a hashed password (algo, options, ...).
79 *
80 * Can be used to verify whether a string is compatible with password_hash().
81 *
82 * @param string
83 * @return array
84 */
85 public function info($hash)
86 {
87 return password_get_info($hash);
88 }
89 /**
90 * Rehashes a user's password if necessary.
91 *
92 * This method expects the password to be pre-hashed by
93 * \Piwik\Plugins\UsersManager\UsersManager::getPasswordHash().
94 *
95 * @param string $hash
96 * @return boolean
97 */
98 public function needsRehash($hash)
99 {
100 return password_needs_rehash($hash, $this->preferredAlgorithm(), $this->algorithmOptions());
101 }
102 /**
103 * Verifies a user's password against the provided hash.
104 *
105 * This method expects the password to be pre-hashed by
106 * \Piwik\Plugins\UsersManager\UsersManager::getPasswordHash().
107 *
108 * @param string $password
109 * @param string $hash
110 * @return boolean
111 */
112 public function verify(
113 #[\SensitiveParameter]
114 $password,
115 #[\SensitiveParameter]
116 $hash)
117 {
118 return password_verify($password, $hash);
119 }
120 }
121