Not installable without ARGON2 support

[bendavies]

Is your feature request related to a problem? Please describe.
Hi there,

This library is not install-able unless argon2 support has been compiled into php.

Otherwise, we will receive:

PHP Fatal error:  Uncaught Error: Undefined constant 'PASSWORD_ARGON2I'

Describe the solution you'd like
Would you be open to conditionally supporting the argon2 password hashing, only if argon 2 support is available?

I want to use the iter/arr methods of this library - i don't really care about not having argon2 support.

Describe alternatives you've considered
compile in argon2 support before requiring psl.

[azjezz]

Hm, i thought ext-sodium ( which is required by this library ) + php >= 7.4 would mean argon is enabled by default ( https://wiki.php.net/rfc/sodium.argon.hash ) 🤔

what method did you use to install PHP? are you building it yourself?

[bendavies]

it doesn't come with sodium, no.
php needs to be compiled with --with-password-argon2 which i'm doing with https://phpbrew.github.io/phpbrew/

[bendavies]

i've recompiled anyway, so feel free to close.
but it may be nice to handle this failure a bit more nicely than a fatal

[azjezz]

This definitely needs to be handled in a nicer way, i will leave it open until i figure out how to do so.

However, the official PHP build should contain support for argon2 if it contains sodium extension, so this is probably an issue that only people compiling their own PHP binaries will face.

[rauanmayemir]

This is hitting me on CI and re/building PHP is not something I would want to do unless I really need argon2.

[azjezz]

i will try finding a fix later this week, as for now, PRs are welcome :)

[weirdan]

However, the official PHP build should contain support for argon2

Is that a thing though? I thought PHP project did not provide any builds whatsoever apart from their Windows builds. And distro builds can vary a lot.

[azjezz]

thought PHP project did not provide any builds whatsoever apart from their Windows builds.

no, you can find tarballs here: https://www.php.net/downloads

tho, i personally build my own binaries but with all almost all options enabled.

[weirdan]

no, you can find tarballs

Tarballs are not builds, so that actually a 'yes' 😉

[azjezz]

ah, yea.

but i still can't figure out how people compile PHP with ext-sodium ( which is required in composer.json ), but without argon2, since PHP 7.4, ext-sodium provides a fallback mechanism for argon2 when PHP is compiled without libargon ( RFC: https://wiki.php.net/rfc/sodium.argon.hash )

[azjezz]

okay, it seems PHP does this only with libsodium newer than 9.6 ( https://github.com/php/php-src/pull/4012/files#diff-3fe4027560fd299248af1dc1efe04287cc2b6418e8f01755c05c9db64b668b1eR646-R650 ), so now i'm wonder if require ext-sodium ^9.2 is really a good solution here...

[weirdan]

In my case it turned out I was using different PHP binaries for installation and run time (phpenv can cause funny problems sometimes), so it's no longer an issue for me.

[azjezz]

This issue has been fixed in 2.0.0, fixing it in 1.9 will result in BC breaks, so there's nothing can be done.

[supermavster]

Thanks for all comments I have an idea:

In base of this post Link

This algorithm is only available if PHP has been compiled with Argon2 support. - password_hash

If you want to use it whenever it is available, I would recommend to check with defined or else fallback to a default algorithm.

if(defined('PASSWORD_ARGON2ID')) {
    $hash = password_hash('password123', PASSWORD_ARGON2ID, array('time_cost' => 10, 'memory_cost' => '2048k', 'threads' => 6));
} else {
    $hash = password_hash('password123', PASSWORD_DEFAULT, array('time_cost' => 10, 'memory_cost' => '2048k', 'threads' => 6));
}

so if change the PASSWORD_ARGON2ID to PASSWORD_DEFAULT in the file:

azjezz/psl/src/Psl/Password/constants.php

all the process for the new version pass the all the test in the code?

it's only an idea :D