Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

needRehash function to check if password parameters are up to date #102

Closed
realkarmakun opened this issue Feb 15, 2023 · 4 comments
Closed

needRehash function to check if password parameters are up to date #102

realkarmakun opened this issue Feb 15, 2023 · 4 comments
Labels
priority: medium status: confirmed type: feature request
Milestone
1.7.0

Comments

@realkarmakun
Copy link

realkarmakun commented Feb 15, 2023
edited
Loading

Is your feature request related to a problem? Please describe.
Would like to check if hash actually need rehashing before wasting resources on recalculating it

Describe the solution you'd like
A needRehash method returning boolean (perhaps on HashChecker object) that shows if parameters are up to date without necessarily calling HashChecker#update.
I'm guessing that in current state, calling this method on hash with same parameters would generate new hash anyway, even if it's parameters are the same as before

Describe alternatives you've considered
Right now we are reading paramters from the encoded hash itself (e.g. $argon2id$t=...), but it sounds like a job that can be done by the library not the developer.
@realkarmakun realkarmakun changed the title needRehash function to check if password parameters are up to date. needRehash function to check if password parameters are up to date Feb 15, 2023
@firaja firaja added this to the 1.7.0 milestone Feb 15, 2023
@firaja
Copy link
Member

firaja commented Feb 15, 2023

Hi @realkarmakun thanks for the suggestion.
Do you need a boolean function that tells if you need to update the hash or just the certainty that the library would not calculate a new hash?
I prefer the first one, because one would need to regenerate the salt event if the parameters didn't change.

@realkarmakun
Copy link
Author

realkarmakun commented Feb 15, 2023
edited
Loading

@firaja
Yes I prefer first option as well. It would allow more control over when generation happens and overall more intuitive (IMHO). Checks if update is needed => Updates the hash.

Not sure about handling updates between algorithms in this case though. Is it possible to check what algorithm was used in original hash after the check call?

firaja added a commit that referenced this issue Feb 15, 2023
@firaja
#102: prevention of hash update when not needed
74983bc
firaja added a commit that referenced this issue Feb 15, 2023
@firaja
#102: added test for bcrypt
004b8fe
@firaja
Copy link
Member

firaja commented Feb 15, 2023

Hi @realkarmakun,

the feature requested is in master brach. The 1.7.0 release will be public by the end of the week.

You can check if there have been an update with a boolean flag like in this example:

HashUpdate update = Password.check(password, hash.getResult())
                .andUpdate().with(...);

update.isUpdated() // true or false

Using a different algoritmh even with different parameters, using #addNewSalt(...) or #addNewPepper(...) makes the library to recalculate the hash.

If you need to force for any reason the update, you can use #forceUpdate(). For example Bcrypt salt could be regenerated internally by the library.

HashUpdate updated5 = Password.check(password, hash.getResult())
                .andUpdate().forceUpdate().with(...);

update.isUpdated() // true

@firaja
Copy link
Member

firaja commented Feb 18, 2023

Hi @realkarmakun ,

version 1.7.0 is now public.
See the changelog for further information.

@firaja firaja closed this as completed Feb 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority: medium status: confirmed type: feature request
Projects
Core development
Status: Done
Milestone
1.7.0
Development

No branches or pull requests
2 participants
@firaja @realkarmakun