From 3625622670f135e30ece750537fc8bf64882c05a Mon Sep 17 00:00:00 2001
From: Marco <marco@delight.im>
Date: Sat, 17 May 2025 18:19:07 +0200
Subject: [PATCH] Extract usages of hashing for passwords to new class
 'PasswordHash'

---
 src/Auth.php         |  6 +++---
 src/PasswordHash.php | 46 ++++++++++++++++++++++++++++++++++++++++++++
 src/UserManager.php  |  4 ++--
 3 files changed, 51 insertions(+), 5 deletions(-)
 create mode 100644 src/PasswordHash.php

diff --git a/src/Auth.php b/src/Auth.php
index 6ec8dfd..dc230ec 100644
--- a/src/Auth.php
+++ b/src/Auth.php
@@ -366,7 +366,7 @@ final class Auth extends UserManager {
 			}
 
 			if (!empty($expectedHash)) {
-				$validated = \password_verify($password, $expectedHash);
+				$validated = PasswordHash::verify($password, $expectedHash);
 
 				if (!$validated) {
 					$this->throttle([ 'reconfirmPassword', $this->getIpAddress() ], 3, (60 * 60), 4, false);
@@ -1229,9 +1229,9 @@ final class Auth extends UserManager {
 
 		$password = self::validatePassword($password);
 
-		if (\password_verify($password, $userData['password'])) {
+		if (PasswordHash::verify($password, $userData['password'])) {
 			// if the password needs to be re-hashed to keep up with improving password cracking techniques
-			if (\password_needs_rehash($userData['password'], \PASSWORD_DEFAULT)) {
+			if (PasswordHash::needsRehash($userData['password'])) {
 				// create a new hash from the password and update it in the database
 				$this->updatePasswordInternal($userData['id'], $password);
 			}
diff --git a/src/PasswordHash.php b/src/PasswordHash.php
new file mode 100644
index 0000000..1eccd09
--- /dev/null
+++ b/src/PasswordHash.php
@@ -0,0 +1,46 @@
+<?php
+
+/*
+ * PHP-Auth (https://github.com/delight-im/PHP-Auth)
+ * Copyright (c) delight.im (https://www.delight.im/)
+ * Licensed under the MIT License (https://opensource.org/licenses/MIT)
+ */
+
+namespace Delight\Auth;
+
+final class PasswordHash {
+
+	const HASH_ALGORITHM_IDENTIFIER = \PASSWORD_DEFAULT;
+
+	/**
+	 * Creates a computationally expensive hash from a password
+	 *
+	 * @param string $passwordText
+	 * @return string|bool
+	 */
+	public static function from($passwordText) {
+		return \password_hash($passwordText, self::HASH_ALGORITHM_IDENTIFIER);
+	}
+
+	/**
+	 * Verifies whether a password matches a computationally expensive hash
+	 *
+	 * @param string $passwordText
+	 * @param string $expectedHash
+	 * @return bool
+	 */
+	public static function verify($passwordText, $expectedHash) {
+		return \password_verify($passwordText, $expectedHash);
+	}
+
+	/**
+	 * Checks whether a computationally expensive hash needs to be updated to match a desired algorithm and set of options
+	 *
+	 * @param string $existingHash
+	 * @return bool
+	 */
+	public static function needsRehash($existingHash) {
+		return \password_needs_rehash($existingHash, self::HASH_ALGORITHM_IDENTIFIER);
+	}
+
+}
diff --git a/src/UserManager.php b/src/UserManager.php
index 620c737..c02e16e 100644
--- a/src/UserManager.php
+++ b/src/UserManager.php
@@ -160,7 +160,7 @@ abstract class UserManager {
 			}
 		}
 
-		$password = \password_hash($password, \PASSWORD_DEFAULT);
+		$password = PasswordHash::from($password);
 		$verified = \is_callable($callback) ? 0 : 1;
 
 		try {
@@ -201,7 +201,7 @@ abstract class UserManager {
 	 * @throws AuthError if an internal problem occurred (do *not* catch)
 	 */
 	protected function updatePasswordInternal($userId, $newPassword) {
-		$newPassword = \password_hash($newPassword, \PASSWORD_DEFAULT);
+		$newPassword = PasswordHash::from($newPassword);
 
 		try {
 			$affected = $this->db->update(