Switching from Bcrypt to Argon2

xxsuperdreamxx

Hello I was wondering because Laravel is capable of hashing the passwords with Argon2. if I could change the hashing of Flarum to Argon2, because we use mainly Argon2 instead of Bcrypt

luceos

xxsuperdreamxx you can override the Hasher by using the static method on the User model:

Flarum\User\User::setHasher($yourHasher);

The replacement needs to implement Illuminate\Contracts\Hashing\Hasher.

xxsuperdreamxx

Ah alright thank you so much, will I F**k up the auth system if I use our main auth server, which already has like 50 users, because I was worrying I may bug the authentication like that

luceos

xxsuperdreamxx why not use a single sign on thing instead? If you're using Laravel, you can install passport on the app and the passport extension in Flarum; they integrate seamlessly.

xxsuperdreamxx

Actually that is a good idea, because like that I can prevent many headaches

luceos

xxsuperdreamxx you'd still need to log in on Flarum separately from the app. But being oauth 2, it's really a safe solution. If you have any further questions, feel free to let us know.

xxsuperdreamxx

Well it is not an issue, better doing one thin, than doing thousand

clarkwinkelmann

Doesn't PHP automatically detect the hash algorithm used when performing a check ? If password_verify is used behind the scenes as I assume, old hashes should still check with the old algorithm.

I also assumed that if you changed the hash algorithm in PHP configuration, Flarum would use the system default. But I have never tested this theory.

xxsuperdreamxx

Well maybe, but doing that will be a global change, which can cause big issues for the other apps, because they are manually set. Even though they use Argon2 I am not quite sure if this is still a good idea, I will try with an old backup to test the theory