Passwords: changed from static to object class (BC break)

Author: dg

src/Security/Passwords.php

@@ -13,24 +13,40 @@
 
 
 /**
- * Passwords tools.
+ * Password Hashing.
  */
 class Passwords
 {
-	use Nette\StaticClass;
+	use Nette\SmartObject;
+
+	/** @var int */
+	private $algo;
+
+	/** @var array */
+	private $options;
+
 
 	/**
-	 * Computes salted password hash. Accepts option 'cost' (4-31)
+	 * See http://php.net/manual/en/password.constants.php
 	 */
-	public static function hash(string $password, array $options = []): string
+	public function __construct(int $algo = PASSWORD_DEFAULT, array $options = [])
 	{
-		if (isset($options['cost']) && ($options['cost'] < 4 || $options['cost'] > 31)) {
-			throw new Nette\InvalidArgumentException("Cost must be in range 4-31, $options[cost] given.");
-		}
+		$this->algo = $algo;
+		$this->options = $options;
+	}
+
+
+	/**
+	 * Computes salted password hash.
+	 */
+	public function hash(string $password): string
+	{
+		$hash = isset($this)
+			? @password_hash($password, $this->algo, $this->options) // @ is escalated to exception
+			: @password_hash($password, PASSWORD_BCRYPT, func_get_args()[1] ?? []); // back compatibility with v2.x
 
-		$hash = password_hash($password, PASSWORD_BCRYPT, $options);
-		if ($hash === false || strlen($hash) < 60) {
-			throw new Nette\InvalidStateException('Hash computed by password_hash is invalid.');
+		if (!$hash) {
+			throw new Nette\InvalidStateException('Computed hash is invalid. ' . error_get_last()['message']);
 		}
 		return $hash;
 	}
@@ -39,17 +55,19 @@ public static function hash(string $password, array $options = []): string
 	/**
 	 * Verifies that a password matches a hash.
 	 */
-	public static function verify(string $password, string $hash): bool
+	public function verify(string $password, string $hash): bool
 	{
 		return password_verify($password, $hash);
 	}
 
 
 	/**
-	 * Checks if the given hash matches the options. Accepts option 'cost' (4-31)
+	 * Checks if the given hash matches the options.
 	 */
-	public static function needsRehash(string $hash, array $options = []): bool
+	public function needsRehash(string $hash): bool
 	{
-		return password_needs_rehash($hash, PASSWORD_BCRYPT, $options);
+		return isset($this)
+			? password_needs_rehash($hash, $this->algo, $this->options)
+			: password_needs_rehash($hash, PASSWORD_BCRYPT, func_get_args()[1] ?? []); // back compatibility with v2.x
 	}
 }

tests/Security/Passwords.hash().phpt

@@ -14,24 +14,16 @@ require __DIR__ . '/../bootstrap.php';
 
 
 Assert::truthy(
-	preg_match('#^\$2.\$\d\d\$.{53}\z#',
-	Passwords::hash(''))
+	preg_match('#^\$2.\$\d\d\$.{53}\z#', (new Passwords)->hash(''))
 );
 
 Assert::truthy(
-	preg_match('#^\$2y\$05\$.{53}\z#',
-	$h = Passwords::hash('dg', ['cost' => 5]))
+	preg_match('#^\$2y\$05\$.{53}\z#', (new Passwords(PASSWORD_BCRYPT, ['cost' => 5]))->hash('dg'))
 );
-echo $h;
 
-$hash = Passwords::hash('dg');
+$hash = (new Passwords(PASSWORD_BCRYPT))->hash('dg');
 Assert::same($hash, crypt('dg', $hash));
 
-
-Assert::exception(function () {
-	Passwords::hash('dg', ['cost' => 3]);
-}, Nette\InvalidArgumentException::class, 'Cost must be in range 4-31, 3 given.');
-
 Assert::exception(function () {
-	Passwords::hash('dg', ['cost' => 32]);
-}, Nette\InvalidArgumentException::class, 'Cost must be in range 4-31, 32 given.');
+	(new Passwords(PASSWORD_BCRYPT, ['cost' => 3]))->hash('dg');
+}, Nette\InvalidStateException::class, 'Computed hash is invalid. password_hash(): Invalid bcrypt cost parameter specified: 3');

tests/Security/Passwords.needsRehash().phpt

@@ -13,5 +13,5 @@ use Tester\Assert;
 require __DIR__ . '/../bootstrap.php';
 
 
-Assert::true(Passwords::needsRehash('$2y$05$123456789012345678901uTj3G.8OMqoqrOMca1z/iBLqLNaWe6DK'));
-Assert::false(Passwords::needsRehash('$2y$05$123456789012345678901uTj3G.8OMqoqrOMca1z/iBLqLNaWe6DK', ['cost' => 5]));
+Assert::true((new Passwords(PASSWORD_BCRYPT))->needsRehash('$2y$05$123456789012345678901uTj3G.8OMqoqrOMca1z/iBLqLNaWe6DK'));
+Assert::false((new Passwords(PASSWORD_BCRYPT, ['cost' => 5]))->needsRehash('$2y$05$123456789012345678901uTj3G.8OMqoqrOMca1z/iBLqLNaWe6DK'));

tests/Security/Passwords.static.phpt

@@ -0,0 +1,30 @@
+<?php
+
+/**
+ * Test: Nette\Security\Passwords deprecated static usage
+ */
+
+declare(strict_types=1);
+
+use Nette\Security\Passwords;
+use Tester\Assert;
+
+
+require __DIR__ . '/../bootstrap.php';
+
+
+// deprecated static usage
+Assert::error(function () {
+	Passwords::hash('');
+}, E_DEPRECATED, 'Non-static method Nette\Security\Passwords::hash() should not be called statically');
+
+Assert::truthy(
+	preg_match('#^\$2y\$05\$.{53}\z#', @Passwords::hash('dg', ['cost' => 5])) // @ is not static
+);
+
+
+Assert::true(@Passwords::verify('dg', '$2y$05$123456789012345678901uTj3G.8OMqoqrOMca1z/iBLqLNaWe6DK')); // @ is not static
+Assert::false(@Passwords::verify('dgx', '$2y$05$123456789012345678901uTj3G.8OMqoqrOMca1z/iBLqLNaWe6DK')); // @ is not static
+
+
+Assert::true(@Passwords::needsRehash('$2y$05$123456789012345678901uTj3G.8OMqoqrOMca1z/iBLqLNaWe6DK')); // @ is not static

tests/Security/Passwords.verify().phpt

@@ -13,6 +13,6 @@ use Tester\Assert;
 require __DIR__ . '/../bootstrap.php';
 
 
-Assert::true(Passwords::verify('dg', '$2y$05$123456789012345678901uTj3G.8OMqoqrOMca1z/iBLqLNaWe6DK'));
-Assert::true(Passwords::verify('dg', '$2x$05$123456789012345678901uTj3G.8OMqoqrOMca1z/iBLqLNaWe6DK'));
-Assert::false(Passwords::verify('dgx', '$2y$05$123456789012345678901uTj3G.8OMqoqrOMca1z/iBLqLNaWe6DK'));
+Assert::true((new Passwords)->verify('dg', '$2y$05$123456789012345678901uTj3G.8OMqoqrOMca1z/iBLqLNaWe6DK'));
+Assert::true((new Passwords)->verify('dg', '$2x$05$123456789012345678901uTj3G.8OMqoqrOMca1z/iBLqLNaWe6DK'));
+Assert::false((new Passwords)->verify('dgx', '$2y$05$123456789012345678901uTj3G.8OMqoqrOMca1z/iBLqLNaWe6DK'));