PasswordService
in package
Service class for password hashing and verification.
Uses PHP's password_hash() with Argon2ID algorithm (preferred) or bcrypt as fallback for older PHP versions.
Tags
Table of Contents
Constants
- ARGON2_OPTIONS = [ 'memory_cost' => 65536, // 64 MB 'time_cost' => 4, // 4 iterations 'threads' => 3, ]
- Argon2ID options.
- BCRYPT_OPTIONS = ['cost' => 12]
- Bcrypt options (fallback).
- FALLBACK_ALGORITHM = PASSWORD_BCRYPT
- PREFERRED_ALGORITHM = PASSWORD_ARGON2ID
- Default algorithm for password hashing.
Properties
- $algorithm : string|int
- The algorithm to use for hashing.
- $options : array<string, int>
- Options for the hashing algorithm.
Methods
- __construct() : mixed
- Create a new PasswordService.
- generateToken() : string
- Generate a secure random token.
-
getHashInfo()
: array{algo: int|string|null, algoName: string, options: array
- Get information about a password hash.
- hash() : string
- Hash a password using the configured algorithm.
- needsRehash() : bool
- Check if a hash needs to be rehashed.
- validateStrength() : array{valid: bool, errors: string[]}
- Validate password strength.
- verify() : bool
- Verify a password against a hash.
Constants
ARGON2_OPTIONS
Argon2ID options.
private
array<string, int>
ARGON2_OPTIONS
= [
'memory_cost' => 65536,
// 64 MB
'time_cost' => 4,
// 4 iterations
'threads' => 3,
]
These are conservative defaults that balance security with performance.
BCRYPT_OPTIONS
Bcrypt options (fallback).
private
array<string, int>
BCRYPT_OPTIONS
= ['cost' => 12]
FALLBACK_ALGORITHM
private
mixed
FALLBACK_ALGORITHM
= PASSWORD_BCRYPT
PREFERRED_ALGORITHM
Default algorithm for password hashing.
private
mixed
PREFERRED_ALGORITHM
= PASSWORD_ARGON2ID
Argon2ID is the recommended algorithm (PHP 7.3+). Falls back to bcrypt if Argon2ID is not available.
Properties
$algorithm
The algorithm to use for hashing.
private
string|int
$algorithm
$options
Options for the hashing algorithm.
private
array<string, int>
$options
Methods
__construct()
Create a new PasswordService.
public
__construct() : mixed
Automatically selects the best available algorithm.
generateToken()
Generate a secure random token.
public
generateToken([int<1, max> $length = 32 ]) : string
Useful for password reset tokens, API tokens, etc.
Parameters
- $length : int<1, max> = 32
-
The length of the token in bytes (will be hex-encoded to 2x length)
Tags
Return values
string —The generated token
getHashInfo()
Get information about a password hash.
public
getHashInfo(string $hash) : array{algo: int|string|null, algoName: string, options: array}
Useful for debugging and migration purposes.
Parameters
- $hash : string
-
The hash to get info about
Return values
array{algo: int|string|null, algoName: string, options: arrayhash()
Hash a password using the configured algorithm.
public
hash(string $password) : string
Parameters
- $password : string
-
The plain-text password to hash
Tags
Return values
string —The hashed password
needsRehash()
Check if a hash needs to be rehashed.
public
needsRehash(string $hash) : bool
This should be called after successful verification to determine if the hash should be updated (e.g., if algorithm options changed).
Parameters
- $hash : string
-
The hash to check
Return values
bool —True if the hash should be rehashed
validateStrength()
Validate password strength.
public
validateStrength(string $password) : array{valid: bool, errors: string[]}
Parameters
- $password : string
-
The password to validate
Return values
array{valid: bool, errors: string[]} —Validation result
verify()
Verify a password against a hash.
public
verify(string $password, string $hash) : bool
Parameters
- $password : string
-
The plain-text password to verify
- $hash : string
-
The hash to verify against
Return values
bool —True if the password matches the hash