Merge pull request #46186 from nextcloud/feat/validate-hash

feat: Add utility method to validate an IHasher hash
nextcloud · Jul 5, 2024 · 915eef6 · 915eef6
2 parents 4a8cf14 + 48b69c5
commit 915eef6
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 1 deletion.
diff --git a/lib/private/Security/Hasher.php b/lib/private/Security/Hasher.php
@@ -79,7 +79,7 @@ public function hash(string $message): string {
 	/**
 	 * Get the version and hash from a prefixedHash
 	 * @param string $prefixedHash
-	 * @return null|array Null if the hash is not prefixed, otherwise array('version' => 1, 'hash' => 'foo')
+	 * @return null|array{version: int, hash: string} Null if the hash is not prefixed, otherwise array('version' => 1, 'hash' => 'foo')
 	 */
 	protected function splitHash(string $prefixedHash): ?array {
 		$explodedString = explode('|', $prefixedHash, 2);
@@ -190,4 +190,18 @@ private function getPrefferedAlgorithm(): string {
 
 		return $default;
 	}
+
+	public function validate(string $prefixedHash): bool {
+		$splitHash = $this->splitHash($prefixedHash);
+		if (empty($splitHash)) {
+			return false;
+		}
+		$validVersions = [3, 2, 1];
+		$version = $splitHash['version'];
+		if (!in_array($version, $validVersions, true)) {
+			return false;
+		}
+		$algoName = password_get_info($splitHash['hash'])['algoName'];
+		return $algoName !== 'unknown';
+	}
 }
diff --git a/lib/public/Security/IHasher.php b/lib/public/Security/IHasher.php
@@ -47,4 +47,11 @@ public function hash(string $message): string;
 	 * @since 8.0.0
 	 */
 	public function verify(string $message, string $hash, &$newHash = null): bool ;
+
+	/**
+	 * Check if the prefixed hash is valid
+	 *
+	 * @since 30.0.0
+	 */
+	public function validate(string $prefixedHash): bool;
 }
diff --git a/tests/lib/Security/HasherTest.php b/tests/lib/Security/HasherTest.php
@@ -264,4 +264,29 @@ public function testHashUsePasswordDefault() {
 		$info = password_get_info($relativePath['hash']);
 		$this->assertEquals(PASSWORD_BCRYPT, $info['algo']);
 	}
+
+	public function testValidHash() {
+		$hash = '3|$argon2id$v=19$m=65536,t=4,p=1$czFCSjk3LklVdXppZ2VCWA$li0NgdXe2/jwSRxgteGQPWlzJU0E0xdtfHbCbrpych0';
+
+		$isValid = $this->hasher->validate($hash);
+
+		$this->assertTrue($isValid);
+	}
+
+	public function testValidGeneratedHash() {
+		$message = 'secret';
+		$hash = $this->hasher->hash($message);
+
+		$isValid = $this->hasher->validate($hash);
+
+		$this->assertTrue($isValid);
+	}
+
+	public function testInvalidHash() {
+		$invalidHash = 'someInvalidHash';
+
+		$isValid = $this->hasher->validate($invalidHash);
+
+		$this->assertFalse($isValid);
+	}
 }